From 0a49079a01c80675e75d2e97c718311799c7106b Mon Sep 17 00:00:00 2001
From: Nurlan Moldomurov <nurlan.moldomurov@percona.com>
Date: Sat, 9 Dec 2023 22:16:29 +0300
Subject: [PATCH 1/4] PMM-8306 fix ssh key bug (#2686)

* PMM-8306 fix SSH Key

* PMM-8306 fix SSH Key
---
 managed/services/server/server.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/managed/services/server/server.go b/managed/services/server/server.go
index de305baf2e..d23e1e0c2f 100644
--- a/managed/services/server/server.go
+++ b/managed/services/server/server.go
@@ -678,7 +678,7 @@ func (s *Server) writeSSHKey(sshKey string) error {
 	s.sshKeyM.Lock()
 	defer s.sshKeyM.Unlock()
 
-	const username = "admin"
+	username := "root"
 	usr, err := user.Lookup(username)
 	if err != nil {
 		return errors.WithStack(err)

From 9b65e1c15176d8af081d2aeba6056c349789f4ff Mon Sep 17 00:00:00 2001
From: Alex Demidoff <alexander.demidoff@percona.com>
Date: Mon, 11 Dec 2023 17:21:15 +0300
Subject: [PATCH 2/4] PMM-8471 run nginx as non-root (#2589)

* PMM-8471 run nginx as non-root

* PMM-8471 fix the tests

* PMM-8471 fix supervisord tests

* PMM-8471 fix an unvoluntary typo )

* PMM-8471 run nginx on behalf of pmm user

* PMM-8471 do not create nginx user

* PMM-8471 update nginx.conf to run nginx on behalf of pmm user

* PMM-8471 revert some changes related to the client

* PMM-8471 fix http ports in docker-compose

* PMM-8471 skip the update test
---
 admin/commands/pmm/server/docker/install.go      |  4 ++--
 agent/Makefile                                   |  2 +-
 agent/agents/supervisor/supervisor_test.go       |  2 +-
 agent/docker-compose.yml                         |  4 ++--
 api-tests/docker-compose.yml                     |  4 ++--
 build/ansible/pmm/post-build-actions.yml         |  2 +-
 build/ansible/roles/pmm-images/tasks/main.yml    |  2 --
 build/docker/server/Dockerfile                   |  2 +-
 build/docker/server/Dockerfile.el9               |  2 +-
 build/docker/server/create_users.sh              |  1 -
 docker-compose.yml                               | 16 ++++++++--------
 get-pmm.sh                                       |  2 +-
 .../services/supervisord/devcontainer_test.go    |  2 ++
 managed/services/supervisord/pmm_config.go       |  1 +
 .../testdata/supervisord.d/pmm-db_disabled.ini   |  1 +
 .../testdata/supervisord.d/pmm-db_enabled.ini    |  1 +
 qan-api2/docker-compose.yaml                     |  4 ++--
 .../tasks/roles/nginx/files/conf.d/pmm.conf      |  4 ++--
 .../playbook/tasks/roles/nginx/files/nginx.conf  |  2 +-
 19 files changed, 30 insertions(+), 28 deletions(-)

diff --git a/admin/commands/pmm/server/docker/install.go b/admin/commands/pmm/server/docker/install.go
index a0e7c9f147..c40f221d3d 100644
--- a/admin/commands/pmm/server/docker/install.go
+++ b/admin/commands/pmm/server/docker/install.go
@@ -129,8 +129,8 @@ func (c *InstallCommand) runContainer(ctx context.Context, volume *volume.Volume
 	logrus.Info("Starting PMM Server")
 
 	ports := nat.PortMap{
-		"443/tcp": []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPSListenPort))}},
-		"80/tcp":  []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPListenPort))}},
+		"8443/tcp": []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPSListenPort))}},
+		"8080/tcp": []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPListenPort))}},
 	}
 
 	containerID, err := startPMMServer(ctx, volume, "", dockerImage, c.dockerFn, ports, c.ContainerName)
diff --git a/agent/Makefile b/agent/Makefile
index c170223a4d..34921df996 100644
--- a/agent/Makefile
+++ b/agent/Makefile
@@ -11,7 +11,7 @@ PMM_RELEASE_VERSION ?= $(shell git describe --always --dirty | cut -b2-)
 PMM_RELEASE_TIMESTAMP ?= $(shell date '+%s')
 PMM_RELEASE_FULLCOMMIT ?= $(shell git rev-parse HEAD)
 PMM_RELEASE_BRANCH ?= $(shell git describe --always --contains --all)
-PMM_DEV_SERVER_PORT ?= 443
+PMM_DEV_SERVER_PORT ?= 8443
 ifeq ($(GOBIN),)
 	GOBIN := $(shell go env GOPATH)/bin
 endif
diff --git a/agent/agents/supervisor/supervisor_test.go b/agent/agents/supervisor/supervisor_test.go
index 5811e34504..b31573d5c4 100644
--- a/agent/agents/supervisor/supervisor_test.go
+++ b/agent/agents/supervisor/supervisor_test.go
@@ -52,7 +52,7 @@ func TestSupervisor(t *testing.T) {
 	cfgStorage := config.NewStorage(&config.Config{
 		Paths:         config.Paths{TempDir: tempDir},
 		Ports:         config.Ports{Min: 65000, Max: 65099},
-		Server:        config.Server{Address: "localhost:443"},
+		Server:        config.Server{Address: "localhost:8443"},
 		LogLinesCount: 1,
 	})
 	s := NewSupervisor(ctx, nil, cfgStorage)
diff --git a/agent/docker-compose.yml b/agent/docker-compose.yml
index 2b8c2e0d8a..1d0bc80557 100644
--- a/agent/docker-compose.yml
+++ b/agent/docker-compose.yml
@@ -6,8 +6,8 @@ services:
     image: ${PMM_SERVER_IMAGE:-perconalab/pmm-server:3-dev-latest}
     container_name: pmm-agent_pmm-server
     ports:
-      - "127.0.0.1:80:80"
-      - "127.0.0.1:443:443"
+      - "127.0.0.1:80:8080"
+      - "127.0.0.1:443:8443"
     environment:
       - PMM_DEBUG=1
       - PERCONA_TEST_CHECKS_INTERVAL=10s
diff --git a/api-tests/docker-compose.yml b/api-tests/docker-compose.yml
index a34895c4d7..b3452357cd 100644
--- a/api-tests/docker-compose.yml
+++ b/api-tests/docker-compose.yml
@@ -6,8 +6,8 @@ services:
     image: ${PMM_SERVER_IMAGE:-perconalab/pmm-server:3-dev-latest}
     container_name: pmm-agent_pmm-server
     ports:
-      - 127.0.0.1:80:80
-      - 127.0.0.1:443:443
+      - 127.0.0.1:80:8080
+      - 127.0.0.1:443:8443
     environment:
       - PMM_DEBUG=1
       - PERCONA_TEST_CHECKS_INTERVAL=10s
diff --git a/build/ansible/pmm/post-build-actions.yml b/build/ansible/pmm/post-build-actions.yml
index 6bbd831891..3a255a802f 100644
--- a/build/ansible/pmm/post-build-actions.yml
+++ b/build/ansible/pmm/post-build-actions.yml
@@ -67,7 +67,7 @@
         --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml
         --skip-registration
         --id=pmm-server
-        --server-address=127.0.0.1:443
+        --server-address=127.0.0.1:8443
         --server-insecure-tls
 
     - name: Reread supervisord configuration EL9
diff --git a/build/ansible/roles/pmm-images/tasks/main.yml b/build/ansible/roles/pmm-images/tasks/main.yml
index 9cb9eee6ed..031bc45fef 100644
--- a/build/ansible/roles/pmm-images/tasks/main.yml
+++ b/build/ansible/roles/pmm-images/tasks/main.yml
@@ -71,7 +71,6 @@
         non_unique: true
       loop:
         - { name: pmm, gid: 1000 }
-        - { name: nginx, gid: 999 }
         - { name: clickhouse, gid: 997 }
 
     - name: Create users              | Create users
@@ -85,7 +84,6 @@
         non_unique: true
       loop:
         - { name: pmm, uid: 1000, comment: "PMM Server", shell: "/usr/bin/bash", home: "/home/pmm", group: pmm, }
-        - { name: nginx, uid: 999, comment: "nginx user", shell: "/sbin/nologin", home: "/dev/null", group: nginx, }
         - { name: clickhouse, uid: 997, comment: "Clickhouse server", shell: "/sbin/nologin", home: "/var/lib/clickhouse", group: clickhouse, }
   when: ansible_virtualization_type == "docker"
 
diff --git a/build/docker/server/Dockerfile b/build/docker/server/Dockerfile
index 5eba5415b4..65acb5826f 100644
--- a/build/docker/server/Dockerfile
+++ b/build/docker/server/Dockerfile
@@ -9,7 +9,7 @@ LABEL org.opencontainers.image.title Percona Monitoring and Management
 LABEL org.opencontainers.image.vendor Percona
 LABEL org.opencontainers.image.version ${VERSION}
 
-EXPOSE 80 443
+EXPOSE 8080 8443
 
 WORKDIR /opt
 
diff --git a/build/docker/server/Dockerfile.el9 b/build/docker/server/Dockerfile.el9
index 054e115042..3ad512a3b5 100644
--- a/build/docker/server/Dockerfile.el9
+++ b/build/docker/server/Dockerfile.el9
@@ -14,7 +14,7 @@ LABEL org.opencontainers.image.title Percona Monitoring and Management
 LABEL org.opencontainers.image.vendor Percona LLC
 LABEL org.opencontainers.image.version ${VERSION}
 
-EXPOSE 80 443
+EXPOSE 8080 8443
 
 WORKDIR /opt
 
diff --git a/build/docker/server/create_users.sh b/build/docker/server/create_users.sh
index 78a9bf35da..9ac1d05c0b 100644
--- a/build/docker/server/create_users.sh
+++ b/build/docker/server/create_users.sh
@@ -2,7 +2,6 @@
 
 users=(
   "pmm:1000:/bin/false:/home/pmm:pmm"
-  "nginx:999:/sbin/nologin:/var/cache/nginx:nginx"
   "clickhouse:997:/sbin/nologin:/var/lib/clickhouse:clickhouse"
 )
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 53889771cb..ac67bd09ed 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -67,8 +67,8 @@ services:
       memlock: 67108864
 
     ports:
-      - ${PMM_PORT_HTTP:-80}:80
-      - ${PMM_PORT_HTTPS:-443}:443
+      - ${PMM_PORT_HTTP:-80}:8080
+      - ${PMM_PORT_HTTPS:-443}:8443
       # For headless delve
       - ${PMM_PORT_DELVE:-2345}:2345
       # PG
@@ -257,8 +257,8 @@ services:
       memlock: 67108864
 
     ports:
-      - ${PMM_PORT_HTTP:-8081}:80
-      - ${PMM_PORT_HTTPS:-8441}:443
+      - ${PMM_PORT_HTTP:-8081}:8080
+      - ${PMM_PORT_HTTPS:-8441}:8443
       # For headless delve
       - ${PMM_PORT_DELVE:-2345}:2345
     volumes:
@@ -339,8 +339,8 @@ services:
       memlock: 67108864
 
     ports:
-      - ${PMM_PORT_HTTP:-8082}:80
-      - ${PMM_PORT_HTTPS:-8432}:443
+      - ${PMM_PORT_HTTP:-8082}:8080
+      - ${PMM_PORT_HTTPS:-8432}:8443
       # For headless delve
       - ${PMM_PORT_DELVE:-12345}:2345
     volumes:
@@ -421,8 +421,8 @@ services:
       memlock: 67108864
 
     ports:
-      - ${PMM_PORT_HTTP:-8083}:80
-      - ${PMM_PORT_HTTPS:-8433}:443
+      - ${PMM_PORT_HTTP:-8083}:8080
+      - ${PMM_PORT_HTTPS:-8433}:8443
       # For headless delve
       # - ${PMM_PORT_DELVE:-12345}:2345
     volumes:
diff --git a/get-pmm.sh b/get-pmm.sh
index 373e6d6eae..bb04db2d18 100755
--- a/get-pmm.sh
+++ b/get-pmm.sh
@@ -237,7 +237,7 @@ start_pmm() {
     run_docker 'stop pmm-server' || :
     run_docker "rename pmm-server $pmm_archive\n"
   fi
-  run_pmm="run -d -p $port:443 --volumes-from pmm-data --name $container_name --restart always $repo:$tag"
+  run_pmm="run -d -p $port:8443 --volumes-from pmm-data --name $container_name --restart always $repo:$tag"
 
   run_docker "$run_pmm 1> /dev/null"
   msg "Created PMM Server: $container_name"
diff --git a/managed/services/supervisord/devcontainer_test.go b/managed/services/supervisord/devcontainer_test.go
index 604d31536a..e7b688c011 100644
--- a/managed/services/supervisord/devcontainer_test.go
+++ b/managed/services/supervisord/devcontainer_test.go
@@ -58,6 +58,8 @@ func TestDevContainer(t *testing.T) {
 	})
 
 	t.Run("Check", func(t *testing.T) {
+		t.Skip("This test is to be deprecated or completely rewritten")
+
 		ctx := context.TODO()
 		checker := NewPMMUpdateChecker(logrus.WithField("test", t.Name()))
 
diff --git a/managed/services/supervisord/pmm_config.go b/managed/services/supervisord/pmm_config.go
index c641c01fb4..07ac62556d 100644
--- a/managed/services/supervisord/pmm_config.go
+++ b/managed/services/supervisord/pmm_config.go
@@ -150,6 +150,7 @@ redirect_stderr = true
 [program:nginx]
 priority = 4
 command = nginx
+user = pmm
 autorestart = true
 autostart = true
 startretries = 10
diff --git a/managed/testdata/supervisord.d/pmm-db_disabled.ini b/managed/testdata/supervisord.d/pmm-db_disabled.ini
index a770f99c47..703add6c97 100644
--- a/managed/testdata/supervisord.d/pmm-db_disabled.ini
+++ b/managed/testdata/supervisord.d/pmm-db_disabled.ini
@@ -43,6 +43,7 @@ redirect_stderr = true
 [program:nginx]
 priority = 4
 command = nginx
+user = pmm
 autorestart = true
 autostart = true
 startretries = 10
diff --git a/managed/testdata/supervisord.d/pmm-db_enabled.ini b/managed/testdata/supervisord.d/pmm-db_enabled.ini
index 93b73c2b8e..bcb0436863 100644
--- a/managed/testdata/supervisord.d/pmm-db_enabled.ini
+++ b/managed/testdata/supervisord.d/pmm-db_enabled.ini
@@ -67,6 +67,7 @@ redirect_stderr = true
 [program:nginx]
 priority = 4
 command = nginx
+user = pmm
 autorestart = true
 autostart = true
 startretries = 10
diff --git a/qan-api2/docker-compose.yaml b/qan-api2/docker-compose.yaml
index f5c3dce848..a9c9d93e11 100644
--- a/qan-api2/docker-compose.yaml
+++ b/qan-api2/docker-compose.yaml
@@ -6,8 +6,8 @@ services:
     container_name: pmm-server
     image: perconalab/pmm-server:3-dev-latest
     ports:
-      - 80:80
-      - 443:443
+      - 80:8080
+      - 443:8443
       - 19000:9000
       - 9933:9933
     restart: always
diff --git a/update/ansible/playbook/tasks/roles/nginx/files/conf.d/pmm.conf b/update/ansible/playbook/tasks/roles/nginx/files/conf.d/pmm.conf
index b492531041..91f077d71e 100644
--- a/update/ansible/playbook/tasks/roles/nginx/files/conf.d/pmm.conf
+++ b/update/ansible/playbook/tasks/roles/nginx/files/conf.d/pmm.conf
@@ -28,8 +28,8 @@
   }
 
   server {
-    listen 80;
-    listen 443 ssl http2;
+    listen 8080;
+    listen 8443 ssl http2;
     server_name _;
     server_tokens off;
 
diff --git a/update/ansible/playbook/tasks/roles/nginx/files/nginx.conf b/update/ansible/playbook/tasks/roles/nginx/files/nginx.conf
index 76c26caa2a..4817b9abca 100644
--- a/update/ansible/playbook/tasks/roles/nginx/files/nginx.conf
+++ b/update/ansible/playbook/tasks/roles/nginx/files/nginx.conf
@@ -1,4 +1,4 @@
-user  nginx;
+user  pmm;
 worker_processes  2;
 
 daemon off;

From b6acd98df8d25482f938b8b504fa2c38fb963708 Mon Sep 17 00:00:00 2001
From: Alex Demidoff <alexander.demidoff@percona.com>
Date: Tue, 12 Dec 2023 15:51:28 +0300
Subject: [PATCH 3/4] PMM-12524 run clickhouse as non root (#2684)

* PMM-12524 run clickhouse as non-root user

* PMM-12524 move postgres role to build

* PMM-12524 remove prometheus config

* PMM-12524 fix octal file access mode

* PMM-12524 move grafana files close to the role

* PMM-12524 exclude logrotate from nginx install

* PMM-12524 don't stop pmm-managed for postgres

* PMM-12524 clean up supervisord role

* PMM-12524 move the password util to grafana

* PMM-12524 workaround the clickhouse permission issue

* PMM-12524 disable logging to a file

* PMM-12524 fix access issues

* PMM-12524 remove users during post build

* PMM-12524 provide migration docs and script

* PMM-12524 fix the race condition

* PMM-12524 apply a few fixes

* PMM-12524 put grafana before postgres

* PMM-12524 put clickhouse atomic flag to the post-build phase

* PMM-12524 make a better note re feature flag

* PMM-12524 fix recursive clickhouse dir creation

* PMM-12524 clear dnf logs instead of yum

* PMM-12524 fix the feature flag quirks

* PMM-12524 remove redundant 'recurse'

* PMM-12524 fix failing alerting tests

* PMM-12524 fix failing alerting tests

* PMM-12524 fix the id for nginx

* PMM-12524 fix the api-test

* PMM-12524 follow up on review

* PMM-12524 follow up on review

* PMM-12524 follow up on review

* PMM-12524 fix nginx issues

* PMM-12524 remove the log redirect comments

* PMM-12524 follow up fix nginx issues

* PMM-12524 follow up fix nginx issues

* PMM-12524 yet another nginx fix

* PMM-12524 fix the healthcheck

* PMM-12524 set the maintenance file owned by pmm

* PMM-12524 remove the prometheus config param from VM
---
 .github/workflows/update.yml                  |   1 +
 .../management/alerting/alerting_test.go      |   6 +-
 api-tests/server/settings_test.go             |   4 +-
 build/ansible/pmm/post-build-actions.yml      |  75 ++++++------
 .../roles/clickhouse/defaults/main.yml        |   0
 .../roles/clickhouse/files/config.xml         |   5 +-
 build/ansible/roles/clickhouse/tasks/main.yml |  60 ++++++++++
 .../grafana}/files/change-admin-password      |   0
 .../roles/grafana}/files/dashboards.yml       |   0
 .../roles/grafana}/files/datasources.yml      |   0
 .../ansible}/roles/grafana/files/grafana.ini  |   0
 .../ansible/roles/grafana}/files/plugins.yml  |   0
 .../ansible}/roles/grafana/tasks/main.yml     |  11 +-
 .../roles/nginx/files/conf.d/pmm-ssl.conf     |   0
 .../roles/nginx/files/conf.d/pmm.conf         |   0
 .../ansible}/roles/nginx/files/local-rss.xml  |   0
 .../ansible}/roles/nginx/files/nginx.conf     |   8 +-
 .../roles/nginx/files/ssl/ca-certs.pem        |   0
 .../roles/nginx/files/ssl/certificate.conf    |   0
 .../roles/nginx/files/ssl/dhparam.pem         |   0
 .../nginx/files/ssl/generate-ssl-certificate  |   0
 .../roles/nginx/files/ssl/upgrade-certificate |   0
 .../ansible}/roles/nginx/tasks/main.yml       |  52 +++++++--
 build/ansible/roles/pmm-images/tasks/main.yml |  87 ++++++++++----
 build/ansible/roles/postgres/tasks/main.yml   | 109 +++++++++++++++++
 .../roles/supervisord-init/tasks/main.yml     |  42 +++----
 build/docker/server/Dockerfile.el9            |   2 +-
 build/docker/server/create_users.sh           |   2 +-
 build/docs/MIGRATION.md                       | 110 ++++++++++++------
 managed/services/supervisord/pmm_config.go    |   3 +-
 managed/services/supervisord/supervisord.go   |  17 ---
 .../supervisord.d/pmm-db_disabled.ini         |   3 +-
 .../testdata/supervisord.d/pmm-db_enabled.ini |   3 +-
 managed/testdata/supervisord.d/prometheus.ini |  15 ---
 .../supervisord.d/victoriametrics.ini         |   1 -
 update/ansible/playbook/tasks/files/pmm.ini   |   3 +-
 .../playbook/tasks/roles/clickhouse/main.yml  |  18 +++
 .../tasks/roles/clickhouse/tasks/main.yml     | 100 ----------------
 .../roles/dashboards_upgrade/tasks/main.yml   |   2 +-
 .../tasks/roles/initialization/tasks/main.yml |  91 ++++-----------
 .../tasks/roles/postgres/tasks/main.yml       | 110 ------------------
 .../tasks/roles/postgres/tasks/restore.yml    |   2 +-
 update/ansible/playbook/tasks/update.yml      |  27 -----
 43 files changed, 472 insertions(+), 497 deletions(-)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/clickhouse/defaults/main.yml (100%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/clickhouse/files/config.xml (99%)
 create mode 100644 build/ansible/roles/clickhouse/tasks/main.yml
 rename {update/ansible/playbook/tasks => build/ansible/roles/grafana}/files/change-admin-password (100%)
 rename {update/ansible/playbook/tasks => build/ansible/roles/grafana}/files/dashboards.yml (100%)
 rename {update/ansible/playbook/tasks => build/ansible/roles/grafana}/files/datasources.yml (100%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/grafana/files/grafana.ini (100%)
 rename {update/ansible/playbook/tasks => build/ansible/roles/grafana}/files/plugins.yml (100%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/grafana/tasks/main.yml (72%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/nginx/files/conf.d/pmm-ssl.conf (100%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/nginx/files/conf.d/pmm.conf (100%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/nginx/files/local-rss.xml (100%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/nginx/files/nginx.conf (85%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/nginx/files/ssl/ca-certs.pem (100%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/nginx/files/ssl/certificate.conf (100%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/nginx/files/ssl/dhparam.pem (100%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/nginx/files/ssl/generate-ssl-certificate (100%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/nginx/files/ssl/upgrade-certificate (100%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/nginx/tasks/main.yml (65%)
 create mode 100644 build/ansible/roles/postgres/tasks/main.yml
 delete mode 100644 managed/testdata/supervisord.d/prometheus.ini
 create mode 100644 update/ansible/playbook/tasks/roles/clickhouse/main.yml
 delete mode 100644 update/ansible/playbook/tasks/roles/clickhouse/tasks/main.yml
 delete mode 100644 update/ansible/playbook/tasks/roles/postgres/tasks/main.yml

diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index f3b23fc9e2..3e1798e250 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -22,6 +22,7 @@ on:
 jobs:
   build:
     name: Build
+    if: false
 
     strategy:
       fail-fast: false
diff --git a/api-tests/management/alerting/alerting_test.go b/api-tests/management/alerting/alerting_test.go
index 96e4563b0e..80657c5369 100644
--- a/api-tests/management/alerting/alerting_test.go
+++ b/api-tests/management/alerting/alerting_test.go
@@ -148,13 +148,13 @@ func TestTemplatesAPI(t *testing.T) {
 	t.Parallel()
 	client := alertingClient.Default.Alerting
 
-	templateData, err := os.ReadFile("../../testdata/ia/template.yaml")
+	templateData, err := os.ReadFile("../../testdata/alerting/template.yaml")
 	require.NoError(t, err)
 
-	multipleTemplatesData, err := os.ReadFile("../../testdata/ia/multiple-templates.yaml")
+	multipleTemplatesData, err := os.ReadFile("../../testdata/alerting/multiple-templates.yaml")
 	require.NoError(t, err)
 
-	invalidTemplateData, err := os.ReadFile("../../testdata/ia/invalid-template.yaml")
+	invalidTemplateData, err := os.ReadFile("../../testdata/alerting/invalid-template.yaml")
 	require.NoError(t, err)
 
 	t.Run("add", func(t *testing.T) {
diff --git a/api-tests/server/settings_test.go b/api-tests/server/settings_test.go
index e1cb0d42a0..3bf3af1ece 100644
--- a/api-tests/server/settings_test.go
+++ b/api-tests/server/settings_test.go
@@ -552,7 +552,7 @@ func TestSettings(t *testing.T) {
 				assert.Empty(t, res)
 			})
 
-			t.Run("NoAdminUserForSSH", func(t *testing.T) {
+			t.Run("ChangeSSHKey", func(t *testing.T) {
 				defer restoreSettingsDefaults(t)
 
 				sshKey := "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClY/8sz3w03vA2bY6mBFgUzrvb2FIoHw8ZjUXGGClJzJg5HC" +
@@ -566,7 +566,7 @@ func TestSettings(t *testing.T) {
 					},
 					Context: pmmapitests.Context,
 				})
-				pmmapitests.AssertAPIErrorf(t, err, 500, codes.Internal, `Internal server error.`)
+				require.NoError(t, err)
 				assert.Empty(t, res)
 			})
 
diff --git a/build/ansible/pmm/post-build-actions.yml b/build/ansible/pmm/post-build-actions.yml
index 3a255a802f..e2cdbfdcd8 100644
--- a/build/ansible/pmm/post-build-actions.yml
+++ b/build/ansible/pmm/post-build-actions.yml
@@ -78,7 +78,7 @@
       register: reread_result
       changed_when: "'No config updates to processes' not in reread_result.stdout"
 
-    - name: See what services are running
+    - name: See which service configs changed
       debug: var=reread_result.stdout_lines
 
     - name: Stop pmm-managed before deleting the database EL9
@@ -89,32 +89,6 @@
         name: pmm-managed
         state: stopped
 
-    - name: Stop supervisord service for AMI/OVF
-      when: ansible_virtualization_type != "docker"
-      service: name=supervisord state=stopped enabled=yes
-
-    - name: Stop supervisord service for docker
-      when: ansible_virtualization_type == "docker"
-      shell: supervisorctl shutdown
-
-      # PMM-11336 - The previous steps failed to start PostgreSQL using supervisord,
-      # so a temporary solution was to start it without supervisord and remove the
-      # pmm-managed database/role. However, a complete overhaul of the pipeline is
-      # necessary for a permanent fix.
-    - name: Stop PostgreSQL database without supervisord
-      command: /usr/pgsql-14/bin/pg_ctl stop -D /srv/postgres14
-      become: yes
-      become_user: pmm
-      ignore_errors: yes
-      when: ansible_virtualization_type != "docker"
-    
-    - name: Start PostgreSQL database without supervisord
-      command: /usr/pgsql-14/bin/pg_ctl start -D /srv/postgres14 -o "-c logging_collector=off"
-      become: yes
-      become_user: pmm
-      ignore_errors: yes
-      when: ansible_virtualization_type != "docker"
-
     - name: Remove pmm-managed database EL9
       when: 
         - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
@@ -130,31 +104,43 @@
         name: pmm-managed
         state: absent
 
-    - name: Stop PostgreSQL database without supervisord
-      command: /usr/pgsql-14/bin/pg_ctl stop -D /srv/postgres14
-      become: yes
-      become_user: pmm
-      ignore_errors: yes
+    - name: Stop supervisord service for AMI/OVF
       when: ansible_virtualization_type != "docker"
+      service: name=supervisord state=stopped enabled=yes
+
+    - name: Stop supervisord service for docker
+      when: ansible_virtualization_type == "docker"
+      shell: supervisorctl shutdown
 
-    - name: Cleanup yum cache          | Cleanup yum cache
-      command: yum clean all
+    - name: Cleanup dnf cache
+      shell: dnf clean all
 
-      # "yum clean all" function will only remove cache from configured yum repositories
-      # Details: https://bugzilla.redhat.com/show_bug.cgi?id=1357083
-    - name: Cleanup yum cache
+    # "yum clean all" function will only remove cache from configured yum repositories
+    # Details: https://bugzilla.redhat.com/show_bug.cgi?id=1357083
+    - name: Cleanup dnf cache
       file:
         state: absent
-        path: /var/cache/yum
+        path: /var/cache/dnf
 
-    - name: Post-build cleanup         | Cleanup build logs and data
+    - name: Cleanup build logs and data
       file: path={{ item }} state=absent
       with_items:
         - /srv/logs
         - /tmp/RPMS
-        - /var/log/yum.log
+        - /var/log/dnf.log
         - /var/log/secure
         - /var/log/wtmp
+        - /var/log/clickhouse-server
+        - /var/log/nginx
+        - /var/lib/pgsql
+
+    - name: Remove users created by installers
+      user:
+        name: "{{ item }}"
+        state: absent
+      loop:
+        - postgres
+        - clickhouse
 
     - name: Clean Clickhouse dir
       shell: find /srv/clickhouse -mindepth 1 -maxdepth 1 -print0 | xargs -0 rm -rf --
@@ -183,3 +169,12 @@
         owner: pmm
         group: pmm
         mode: 0775
+
+    # This is a temp workaround to make sure that the file exists and has the correct permissions.
+    # TODO: Remove, as it won't be needed once the main process is run as `pmm` user.
+    - name: Create nginx log file
+      file:
+        path: /srv/logs/nginx.log 
+        state: touch
+        group: pmm
+        owner: pmm
diff --git a/update/ansible/playbook/tasks/roles/clickhouse/defaults/main.yml b/build/ansible/roles/clickhouse/defaults/main.yml
similarity index 100%
rename from update/ansible/playbook/tasks/roles/clickhouse/defaults/main.yml
rename to build/ansible/roles/clickhouse/defaults/main.yml
diff --git a/update/ansible/playbook/tasks/roles/clickhouse/files/config.xml b/build/ansible/roles/clickhouse/files/config.xml
similarity index 99%
rename from update/ansible/playbook/tasks/roles/clickhouse/files/config.xml
rename to build/ansible/roles/clickhouse/files/config.xml
index 0ccb6ae4bf..20a08592d3 100644
--- a/update/ansible/playbook/tasks/roles/clickhouse/files/config.xml
+++ b/build/ansible/roles/clickhouse/files/config.xml
@@ -23,7 +23,10 @@
         -->
         <level>information</level>
         <console>1</console>
-        <log>/srv/logs/clickhouse-server.log</log>
+        <!-- 
+          We disable this since we use supervisor to redirect the logs from the console (see above) to a file.
+          <log>/srv/logs/clickhouse-server.log</log> 
+        -->
         <!-- Rotation policy
              See https://github.com/pocoproject/poco/blob/poco-1.9.4-release/Foundation/include/Poco/FileChannel.h#L54-L85
         <size>1000M</size>
diff --git a/build/ansible/roles/clickhouse/tasks/main.yml b/build/ansible/roles/clickhouse/tasks/main.yml
new file mode 100644
index 0000000000..baff942535
--- /dev/null
+++ b/build/ansible/roles/clickhouse/tasks/main.yml
@@ -0,0 +1,60 @@
+---
+- name: Add ClickHouse repository
+  yum_repository:
+    name: clickhouse
+    description: ClickHouse - Stable Repository
+    baseurl: https://packages.clickhouse.com/rpm/stable/
+    gpgkey: https://packages.clickhouse.com/rpm/stable/repodata/repomd.xml.key
+    gpgcheck: no
+    repo_gpgcheck: yes
+    enabled: no
+
+- name: Install clickhouse package
+  yum:
+    name:
+      - clickhouse-client-{{ clickhouse_version }}
+      - clickhouse-server-{{ clickhouse_version }}
+      - clickhouse-common-static-{{ clickhouse_version }}
+    state: installed
+    enablerepo: clickhouse
+  ignore_errors: "{{ ansible_check_mode }}" # We don't have clickhouse repo when we run ansible with --check
+
+- name: Change ownership of clickhouse directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: pmm
+    group: pmm
+    mode: 0755
+    recurse: yes
+  loop:
+    - /etc/clickhouse-server
+    - /etc/clickhouse-client
+    - /var/lib/clickhouse
+    - /var/log/clickhouse-server
+    - /run/clickhouse-server
+
+- name: Copy a customized clickhouse config
+  copy:
+    src: config.xml
+    dest: /etc/clickhouse-server/config.xml
+    owner: pmm
+    group: pmm
+    mode: 0664
+
+# We need to remove capabilities because we run PMM in an unprivileged container
+# But we run clickhouse as root user
+- name: Remove cap_ipc_lock from clickhouse binary
+  capabilities:
+    path: /usr/bin/clickhouse
+    state: absent
+    capability: "{{ item }}"
+  loop:
+    - cap_ipc_lock
+    - cap_sys_nice
+    - cap_net_admin
+
+- name: Remove clickhouse-odbc-bridge binary
+  file:
+    path: /usr/bin/clickhouse-odbc-bridge
+    state: absent
diff --git a/update/ansible/playbook/tasks/files/change-admin-password b/build/ansible/roles/grafana/files/change-admin-password
similarity index 100%
rename from update/ansible/playbook/tasks/files/change-admin-password
rename to build/ansible/roles/grafana/files/change-admin-password
diff --git a/update/ansible/playbook/tasks/files/dashboards.yml b/build/ansible/roles/grafana/files/dashboards.yml
similarity index 100%
rename from update/ansible/playbook/tasks/files/dashboards.yml
rename to build/ansible/roles/grafana/files/dashboards.yml
diff --git a/update/ansible/playbook/tasks/files/datasources.yml b/build/ansible/roles/grafana/files/datasources.yml
similarity index 100%
rename from update/ansible/playbook/tasks/files/datasources.yml
rename to build/ansible/roles/grafana/files/datasources.yml
diff --git a/update/ansible/playbook/tasks/roles/grafana/files/grafana.ini b/build/ansible/roles/grafana/files/grafana.ini
similarity index 100%
rename from update/ansible/playbook/tasks/roles/grafana/files/grafana.ini
rename to build/ansible/roles/grafana/files/grafana.ini
diff --git a/update/ansible/playbook/tasks/files/plugins.yml b/build/ansible/roles/grafana/files/plugins.yml
similarity index 100%
rename from update/ansible/playbook/tasks/files/plugins.yml
rename to build/ansible/roles/grafana/files/plugins.yml
diff --git a/update/ansible/playbook/tasks/roles/grafana/tasks/main.yml b/build/ansible/roles/grafana/tasks/main.yml
similarity index 72%
rename from update/ansible/playbook/tasks/roles/grafana/tasks/main.yml
rename to build/ansible/roles/grafana/tasks/main.yml
index cd007335da..6a84218c05 100644
--- a/update/ansible/playbook/tasks/roles/grafana/tasks/main.yml
+++ b/build/ansible/roles/grafana/tasks/main.yml
@@ -19,7 +19,7 @@
     mode: 0744
     recurse: true
 
-- name: Copy new version of grafana.ini
+- name: Copy a custom version of grafana.ini
   copy:
     src: grafana.ini
     dest: /etc/grafana/grafana.ini
@@ -48,7 +48,8 @@
     - plugins
     - dashboards
 
-# This was redundant, as the schema is migrated during the startup phase
-# - name: Upgrade grafana database (apply the latest schema)
-#   command: grafana cli --homepath=/usr/share/grafana --config=/etc/grafana/grafana.ini admin data-migration encrypt-datasource-passwords
-#   changed_when: True
+- name: Create change-admin-password command
+  copy:
+    src: change-admin-password
+    dest: /usr/local/sbin/change-admin-password
+    mode: 0755
diff --git a/update/ansible/playbook/tasks/roles/nginx/files/conf.d/pmm-ssl.conf b/build/ansible/roles/nginx/files/conf.d/pmm-ssl.conf
similarity index 100%
rename from update/ansible/playbook/tasks/roles/nginx/files/conf.d/pmm-ssl.conf
rename to build/ansible/roles/nginx/files/conf.d/pmm-ssl.conf
diff --git a/update/ansible/playbook/tasks/roles/nginx/files/conf.d/pmm.conf b/build/ansible/roles/nginx/files/conf.d/pmm.conf
similarity index 100%
rename from update/ansible/playbook/tasks/roles/nginx/files/conf.d/pmm.conf
rename to build/ansible/roles/nginx/files/conf.d/pmm.conf
diff --git a/update/ansible/playbook/tasks/roles/nginx/files/local-rss.xml b/build/ansible/roles/nginx/files/local-rss.xml
similarity index 100%
rename from update/ansible/playbook/tasks/roles/nginx/files/local-rss.xml
rename to build/ansible/roles/nginx/files/local-rss.xml
diff --git a/update/ansible/playbook/tasks/roles/nginx/files/nginx.conf b/build/ansible/roles/nginx/files/nginx.conf
similarity index 85%
rename from update/ansible/playbook/tasks/roles/nginx/files/nginx.conf
rename to build/ansible/roles/nginx/files/nginx.conf
index 4817b9abca..ea60c7bbe5 100644
--- a/update/ansible/playbook/tasks/roles/nginx/files/nginx.conf
+++ b/build/ansible/roles/nginx/files/nginx.conf
@@ -1,10 +1,10 @@
-user  pmm;
+# user  pmm; ## It's ignored when the master process is not run by root.
 worker_processes  2;
 
 daemon off;
 
-error_log  /dev/stderr warn;
-pid        /var/run/nginx.pid;
+error_log  /srv/logs/nginx.log warn;
+pid        /run/nginx.pid;
 
 events {
     worker_connections 4096;
@@ -23,7 +23,7 @@ http {
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 
-    access_log  /dev/stdout  main;
+    access_log  /srv/logs/nginx.log  main;
 
     sendfile        on;
     gzip            on;
diff --git a/update/ansible/playbook/tasks/roles/nginx/files/ssl/ca-certs.pem b/build/ansible/roles/nginx/files/ssl/ca-certs.pem
similarity index 100%
rename from update/ansible/playbook/tasks/roles/nginx/files/ssl/ca-certs.pem
rename to build/ansible/roles/nginx/files/ssl/ca-certs.pem
diff --git a/update/ansible/playbook/tasks/roles/nginx/files/ssl/certificate.conf b/build/ansible/roles/nginx/files/ssl/certificate.conf
similarity index 100%
rename from update/ansible/playbook/tasks/roles/nginx/files/ssl/certificate.conf
rename to build/ansible/roles/nginx/files/ssl/certificate.conf
diff --git a/update/ansible/playbook/tasks/roles/nginx/files/ssl/dhparam.pem b/build/ansible/roles/nginx/files/ssl/dhparam.pem
similarity index 100%
rename from update/ansible/playbook/tasks/roles/nginx/files/ssl/dhparam.pem
rename to build/ansible/roles/nginx/files/ssl/dhparam.pem
diff --git a/update/ansible/playbook/tasks/roles/nginx/files/ssl/generate-ssl-certificate b/build/ansible/roles/nginx/files/ssl/generate-ssl-certificate
similarity index 100%
rename from update/ansible/playbook/tasks/roles/nginx/files/ssl/generate-ssl-certificate
rename to build/ansible/roles/nginx/files/ssl/generate-ssl-certificate
diff --git a/update/ansible/playbook/tasks/roles/nginx/files/ssl/upgrade-certificate b/build/ansible/roles/nginx/files/ssl/upgrade-certificate
similarity index 100%
rename from update/ansible/playbook/tasks/roles/nginx/files/ssl/upgrade-certificate
rename to build/ansible/roles/nginx/files/ssl/upgrade-certificate
diff --git a/update/ansible/playbook/tasks/roles/nginx/tasks/main.yml b/build/ansible/roles/nginx/tasks/main.yml
similarity index 65%
rename from update/ansible/playbook/tasks/roles/nginx/tasks/main.yml
rename to build/ansible/roles/nginx/tasks/main.yml
index 1ae7e56102..d3cea0753a 100644
--- a/update/ansible/playbook/tasks/roles/nginx/tasks/main.yml
+++ b/build/ansible/roles/nginx/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 # We already have nginx package in epel repo
-- name: Add Nginx repository for RHEL9
+- name: Add Nginx repository
   when:
     - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
     - ansible_distribution_major_version == '9'
@@ -15,15 +15,19 @@
   file:
     path: "{{ item }}"
     state: directory
+    owner: pmm
+    group: pmm
   loop:
     - /usr/share/pmm-server/static/
     - /etc/nginx/conf.d/
     - /etc/nginx/ssl/
 
-- name: Install nginx rpm          | Install nginx
+- name: Install nginx
   yum:
     name: nginx
     state: installed
+    exclude:
+      - logrotate-*
 
 - name: Add ssl-related files and scripts
   copy:
@@ -31,13 +35,13 @@
     dest: "{{ item.dest }}"
     mode: "{{ item.mode }}"
   loop:
-    - { src: ca-certs.pem, dest: /etc/nginx/ssl/ca-certs.pem, mode: "u=rw,g=r,o=r" }
-    - { src: certificate.conf, dest: /etc/nginx/ssl/certificate.conf, mode: "u=rw,g=r,o=r" }
-    - { src: dhparam.pem, dest: /etc/nginx/ssl/dhparam.pem, mode: "u=rw,g=r,o=r" }
-    - { src: generate-ssl-certificate, dest: /var/lib/cloud/scripts/per-boot/generate-ssl-certificate, mode: "u=rwx,g=rx,o=rx" }
-    - { src: upgrade-certificate, dest: /var/lib/cloud/scripts/per-boot/upgrade-certificate, mode: "u=rwx,g=rx,o=rx" }
+    - { src: ca-certs.pem, dest: /etc/nginx/ssl/ca-certs.pem, mode: "0644" }
+    - { src: certificate.conf, dest: /etc/nginx/ssl/certificate.conf, mode: "0644" }
+    - { src: dhparam.pem, dest: /etc/nginx/ssl/dhparam.pem, mode: "0644" }
+    - { src: generate-ssl-certificate, dest: /var/lib/cloud/scripts/per-boot/generate-ssl-certificate, mode: "0755" }
+    - { src: upgrade-certificate, dest: /var/lib/cloud/scripts/per-boot/upgrade-certificate, mode: "0755" }
 
-- name: NGINX                       | Copy nginx configs
+- name: Copy nginx configs
   copy:
     src: "{{ item }}"
     dest: "/etc/nginx/{{ item }}"
@@ -47,20 +51,42 @@
     - "conf.d/pmm-ssl.conf"
     - "conf.d/pmm.conf"
 
-- name: NGINX SSL Certificate      | Check certificate file
+- name: Check if the user-provided certificate exists
   stat:
     path: /srv/nginx/certificate.crt
   register: certificate_file
 
-- name: NGINX SSL Certificate      | Generate certificate
+- name: Generate SSL certificates
   when: not certificate_file.stat.exists
   command: /var/lib/cloud/scripts/per-boot/generate-ssl-certificate
 
-- name: Remove default.conf
+- name: Remove the default nginx config files
   file:
-    path: /etc/nginx/conf.d/default.conf
+    path: /etc/nginx/*.default
     state: absent
 
+- name: Change ownership of nginx dirs
+  file:
+    path: "{{ item }}"
+    state: directory
+    group: pmm
+    owner: pmm
+    recurse: yes
+  loop:
+    - /var/lib/nginx
+    - /etc/nginx
+    - /srv/nginx
+
+- name: Change ownership of nginx files
+  file:
+    path: "{{ item }}"
+    state: touch
+    group: pmm
+    owner: pmm
+  loop:
+    - /run/nginx.pid
+    - /srv/logs/nginx.log
+
 - name: Check nginx configuration
   command: nginx -t
   changed_when: false
@@ -69,4 +95,6 @@
   copy:
     src: local-rss.xml
     dest: /usr/share/pmm-server/static/
+    group: pmm
+    owner: pmm
     mode: 0644
diff --git a/build/ansible/roles/pmm-images/tasks/main.yml b/build/ansible/roles/pmm-images/tasks/main.yml
index 031bc45fef..44d15d24a6 100644
--- a/build/ansible/roles/pmm-images/tasks/main.yml
+++ b/build/ansible/roles/pmm-images/tasks/main.yml
@@ -57,6 +57,18 @@
       - rsync
       - libsqlite3x-devel # package does not come pre-installed on EL9
 
+- name: Install ansible-core and ansible collections
+  when:
+    - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
+    - ansible_distribution_major_version == '9'
+  yum:
+    name:
+      - ansible-core
+      - ansible-collection-community-general
+      - ansible-collection-community-postgresql
+      - ansible-collection-ansible-posix
+    state: present
+
 - name: Create users for non-docker images          | Create users
   user:
     name: "pmm"
@@ -68,10 +80,10 @@
       group:
         name: "{{ item.name }}"
         gid: "{{ item.gid }}"
-        non_unique: true
       loop:
         - { name: pmm, gid: 1000 }
-        - { name: clickhouse, gid: 997 }
+        - { name: nginx, gid: 1002 }
+        - { name: clickhouse, gid: 1001 }
 
     - name: Create users              | Create users
       user:
@@ -81,20 +93,20 @@
         comment: "{{ item.comment }}"
         shell: "{{ item.shell }}"
         group: "{{ item.group }}"
-        non_unique: true
       loop:
         - { name: pmm, uid: 1000, comment: "PMM Server", shell: "/usr/bin/bash", home: "/home/pmm", group: pmm, }
-        - { name: clickhouse, uid: 997, comment: "Clickhouse server", shell: "/sbin/nologin", home: "/var/lib/clickhouse", group: clickhouse, }
+        - { name: nginx, uid: 1002, comment: "nginx user", shell: "/sbin/nologin", home: "/dev/null", group: nginx, }
+        - { name: clickhouse, uid: 1001, comment: "Clickhouse server", shell: "/sbin/nologin", home: "/dev/null", group: clickhouse, }
+
   when: ansible_virtualization_type == "docker"
 
 - name: Create directories        | Create dirs
   file: path={{ item }} state=directory owner=pmm group=pmm
   with_items:
-    - /srv/prometheus/data
     - /srv/prometheus/rules
     - /etc/grafana
 
-- name: Create directories        | Create dirs
+- name: Create a directory for logs
   file:
     path: /srv/logs
     state: directory
@@ -102,6 +114,14 @@
     group: pmm
     mode: 0775
 
+- name: Create clickhouse data directory
+  file:
+    path: /srv/clickhouse
+    state: directory
+    owner: pmm
+    group: pmm
+    mode: 0755
+
 - name: Create dirs                | Create dirs
   when: ansible_virtualization_type == "docker"
   file: path={{ item }} state=directory
@@ -109,10 +129,6 @@
     - /var/lib/cloud/scripts/per-once
     - /var/lib/cloud/scripts/per-boot
 
-- name: Install supervisord
-  include_role:
-    name: supervisord-init
-
 - name: Install RPMs               | Install RPMs for PMM3 server
   yum:
     name:
@@ -128,6 +144,26 @@
     # line below is sed'ed by build-server-docker script
     enablerepo: "pmm-server"
 
+- name: Create grafana config
+  include_role:
+    name: grafana
+
+- name: Install clickhouse
+  include_role:
+    name: clickhouse
+
+- name: Install nginx
+  include_role:
+    name: nginx
+
+- name: Install postgres
+  include_role:
+    name: postgres
+
+- name: Install supervisord
+  include_role:
+    name: supervisord-init
+
 - name: PMM                        | Enable repo for pmm-client
   command: percona-release enable {{ pmm_client_repos }}
 
@@ -135,18 +171,6 @@
   include_role:
     name: pmm-client
 
-- name: Install ansible-core RPM          | EL9
-  when:
-    - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-    - ansible_distribution_major_version == '9'
-  yum:
-    name:
-      - ansible-core
-      - ansible-collection-community-general
-      - ansible-collection-community-postgresql
-      - ansible-collection-ansible-posix
-    state: present
-
 - name: Disable pmm-agent service | Disable pmm-agent
   when: ansible_virtualization_type != "docker"
   service: name=pmm-agent state=stopped enabled=no
@@ -160,3 +184,22 @@
     src: grafana.ini
     dest: /etc/supervisord.d/grafana.ini
     mode: 0644
+
+- name: Create backup directory
+  file:
+    path: /srv/backup
+    state: directory
+
+- name: Create a working directory for VictoriaMetrics
+  file:
+    path: /srv/victoriametrics/data
+    state: directory
+    owner: pmm
+    group: pmm
+
+- name: Create an empty configuration file for VictoriaMetrics
+  file:
+    path: /etc/victoriametrics-promscrape.yml
+    state: touch
+    owner: pmm
+    group: pmm
diff --git a/build/ansible/roles/postgres/tasks/main.yml b/build/ansible/roles/postgres/tasks/main.yml
new file mode 100644
index 0000000000..1da0215183
--- /dev/null
+++ b/build/ansible/roles/postgres/tasks/main.yml
@@ -0,0 +1,109 @@
+---
+- name: Add PostgreSQL 14 YUM repository
+  yum_repository:
+    name: percona-ppg-14
+    description: PostgreSQL YUM repository
+    baseurl: http://repo.percona.com/ppg-14/yum/release/$releasever/RPMS/$basearch/
+    gpgcheck: yes
+    enabled: yes
+    gpgkey: file:///etc/pki/rpm-gpg/PERCONA-PACKAGING-KEY
+
+# we need the old postgres binary for the upgrade process
+- name: Install Postgres
+  when:
+    - not ansible_check_mode
+  dnf:
+    name:
+      - percona-postgresql14-server
+      - percona-postgresql14-contrib
+      - percona-postgresql14
+      - python-psycopg2 # Python PostgreSQL database adapter
+    state: installed
+
+- name: Create a socket directory for Postgres
+  file:
+    path: /run/postgresql
+    state: directory
+    owner: pmm
+    group: pmm
+    mode: 0775  
+
+- name: Create Postgres log file
+  file:
+    path: /srv/logs/postgresql14.log
+    state: touch
+    force: yes
+    group: pmm
+    owner: pmm
+    mode: 0644
+
+- name: Create Postgres data dir
+  file:
+    path: /srv/postgres14
+    state: directory
+    owner: pmm
+    group: pmm
+    mode: 0766
+
+- name: Initialize Postgres database
+  command: /usr/pgsql-14/bin/initdb -D /srv/postgres14 --auth=trust
+  become: true
+  become_user: pmm
+  become_method: su
+
+- name: Start Postgres database without supervisor
+  command: /usr/pgsql-14/bin/pg_ctl start -D /srv/postgres14 -o "-c logging_collector=off"
+  become: true
+  become_user: pmm
+  become_method: su
+
+- name: Create postgres user
+  shell: /usr/pgsql-14/bin/createuser --echo --superuser --host=/run/postgresql --no-password postgres
+  become: true
+  become_user: pmm
+  become_method: su      
+
+- name: Create pmm-managed database
+  postgresql_db:
+    name: pmm-managed
+    state: present
+
+- name: Create pmm-managed user
+  postgresql_user:
+    db: pmm-managed
+    name: pmm-managed
+    password: "md5da757ec3e22c6d86a2bb8e70307fa937"
+    priv: "ALL"
+    expires: infinity
+    state: present
+
+- name: Create pg_stat_statements extension
+  postgresql_ext:
+    db: postgres
+    name: pg_stat_statements
+    schema: public
+
+- name: Create grafana database in postgres
+  postgresql_db:
+    name: grafana
+    state: present
+
+- name: Create grafana user in postgres
+  postgresql_user:
+    db: grafana
+    name: grafana
+    password: grafana
+    priv: 'ALL'
+    expires: infinity
+    state: present
+  when: not ansible_check_mode
+
+- name: Upgrade grafana database to the latest schema
+  command: grafana cli --homepath=/usr/share/grafana --config=/etc/grafana/grafana.ini admin data-migration encrypt-datasource-passwords
+  changed_when: True
+
+- name: Stop Postgres 14 database without supervisor
+  command: /usr/pgsql-14/bin/pg_ctl stop -D /srv/postgres14
+  become: true
+  become_user: pmm
+  become_method: su
diff --git a/build/ansible/roles/supervisord-init/tasks/main.yml b/build/ansible/roles/supervisord-init/tasks/main.yml
index eeb7195531..878485fa03 100644
--- a/build/ansible/roles/supervisord-init/tasks/main.yml
+++ b/build/ansible/roles/supervisord-init/tasks/main.yml
@@ -1,66 +1,66 @@
 ---
-- name: Install supervisor        | EL9
-  when: (ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux') and ansible_distribution_major_version  == '9'
+- name: Install supervisor
   pip:
     name: supervisor==4.2.4
 
-- name: Fix supervisor EL9      | Fix supervisor
-  when: (ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux') and ansible_distribution_major_version  == '9'
-  shell: if [ ! -e /usr/bin/supervisord ]; then ln -s /usr/local/bin/supervisord /usr/bin/supervisord; fi
+- name: Create a symlink for supervisord
+  file:
+    src: /usr/local/bin/supervisord
+    dest: /usr/bin/supervisord
+    state: link
 
-- name: Configure supervisor EL9       | Create a default configuration file for supervisord
-  when: (ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux') and ansible_distribution_major_version  == '9'
+- name: Create a default configuration file for supervisord
   shell: /usr/local/bin/echo_supervisord_conf > /etc/supervisord.conf
   ignore_errors: True
 
-- name: Configure supervisor       | Modify supervisord.conf
+- name: Modify supervisord.conf
   ini_file:
     dest: /etc/supervisord.conf
     section: include
     option: files
     value: supervisord.d/*.ini
 
-- name: Install supervisor         | Modify supervisord.conf
+- name: Modify supervisord.conf
   ini_file:
     dest: /etc/supervisord.conf
     section: unix_http_server
     option: file
     value: /run/supervisor/supervisor.sock
 
-- name: Configure supervisor       | Modify supervisord.conf
+- name: Modify supervisord.conf
   ini_file:
     dest: /etc/supervisord.conf
     section: supervisord
     option: logfile
     value: "/srv/logs/supervisord.log"
 
-- name: Configure supervisor       | Modify supervisord.conf
+- name: Modify supervisord.conf
   ini_file:
     dest: /etc/supervisord.conf
     section: supervisord
     option: pidfile
     value: /run/supervisord.pid
 
-- name: Configure supervisor       | Modify supervisord.conf
+- name: Modify supervisord.conf
   ini_file:
     dest: /etc/supervisord.conf
     section: supervisorctl
     option: serverurl
     value: unix:///run/supervisor/supervisor.sock
 
-- name: Configure supervisor       | Create dirs
+- name: Create dirs
   file:
     path: /run/supervisor
     state: directory
     mode: 0770
 
-- name: Configure supervisor       | Create /etc/supervisord.d dir
+- name: Create /etc/supervisord.d dir
   file:
     path: /etc/supervisord.d
     mode: 0755
     state: directory
 
-- name: Configure supervisor       | Add /etc/tmpfiles.d/supervisor.conf config
+- name: Add /etc/tmpfiles.d/supervisor.conf config
   when: ansible_virtualization_type != "docker"
   copy:
     content: |
@@ -68,21 +68,21 @@
     dest: /etc/tmpfiles.d/supervisor.conf
     mode: 0644
 
-- name: Configure supervisor       | Fix credentials
+- name: Fix credentials
   ini_file:
     dest: /etc/supervisord.conf
     section: supervisorctl
     option: username
     value: dummy
 
-- name: Configure supervisor       | Fix credentials
+- name: Fix credentials
   ini_file:
     dest: /etc/supervisord.conf
     section: supervisorctl
     option: password
     value: dummy
 
-- name: Configure supervisor       | Increase number of open files for jobs
+- name: Increase number of open files for jobs
   when: ansible_virtualization_type != "docker"
   ini_file:
     dest: /etc/supervisord.conf
@@ -90,17 +90,17 @@
     option: minfds
     value: "800000"
 
-- name: Configure supervisor       | Add supervisord.service
+- name: Add supervisord.service
   when: ansible_virtualization_type != "docker"
   copy:
     src: supervisord.service
     dest: /usr/lib/systemd/system/
     mode: 0644
 
-- name: Fix motd      | Fix motd
+- name: Fix motd
   shell: echo "Welcome to PMM Server!" > /etc/motd; echo "Welcome to PMM Server!" > /etc/motd.conf
 
-- name: Debug                      | Print the contents of supervisord.conf
+- name: Print the contents of supervisord.conf
   debug:
     msg:
       - "{{ lookup('file', '/etc/supervisord.conf') | split('\n') }}"
diff --git a/build/docker/server/Dockerfile.el9 b/build/docker/server/Dockerfile.el9
index 3ad512a3b5..a7ed9285a5 100644
--- a/build/docker/server/Dockerfile.el9
+++ b/build/docker/server/Dockerfile.el9
@@ -41,5 +41,5 @@ RUN ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm-docker/main.
   && ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm/post-build-actions.yml
 
 COPY entrypoint.sh /opt/entrypoint.sh
-HEALTHCHECK --interval=3s --timeout=2s --start-period=10s --retries=3 CMD curl -f http://127.0.0.1/v1/readyz || exit 1
+HEALTHCHECK --interval=3s --timeout=2s --start-period=10s --retries=3 CMD curl -f http://127.0.0.1:8080/v1/readyz || exit 1
 CMD ["/opt/entrypoint.sh"]
diff --git a/build/docker/server/create_users.sh b/build/docker/server/create_users.sh
index 9ac1d05c0b..e37eae3bf8 100644
--- a/build/docker/server/create_users.sh
+++ b/build/docker/server/create_users.sh
@@ -2,7 +2,7 @@
 
 users=(
   "pmm:1000:/bin/false:/home/pmm:pmm"
-  "clickhouse:997:/sbin/nologin:/var/lib/clickhouse:clickhouse"
+  "nginx:1001:/sbin/nologin:/var/cache/nginx:nginx"
 )
 
 for user in "${users[@]}"; do
diff --git a/build/docs/MIGRATION.md b/build/docs/MIGRATION.md
index 3a4617be6f..471f365688 100644
--- a/build/docs/MIGRATION.md
+++ b/build/docs/MIGRATION.md
@@ -1,4 +1,4 @@
-# Migration from PMM v2 to v3 [draft]
+# Migration from PMM v2 to v3 [early draft]
 
 ## Preface
 The migration from PMM v2 to v3 is a complex process that requires a lot of manual work. This document describes the process of migration and the steps that need to be taken to complete it.
@@ -8,61 +8,101 @@ One of the goals of the migration is to run all processes as an unprivileged use
 ## General migration steps
 
 1. Upgrade PMM Server to v2.41.x
-The first step is to upgrade PMM Server to the latest version of v2.41.x. This is necessary because the migration process requires the latest version of the PMM Server v2.41.x.
+The first step is to upgrade PMM Server to the latest version of v2.41.x. This is necessary because the migration from v2 to v3 requires the latest version of PMM Server v2.41.x.
 
 2. Stop all PMM Server processes
 The next step is to stop all PMM Server processes. This includes shutting down supervisord process as well.
 
+3. Backup the data
+This involves backing up the `/srv` directory since all the databases, log files, some user-facing config files and plugins are stored there.
 
-## Migration steps for PostgreSQL
+4. Run PMM Server v3
+The next step is to run PMM Server v3. The data volume should be mounted to PMM's `/srv` directory.
 
-1. Stop the following processes (all that connect to the database):
-```
-  - pmm-agent
-  - pmm-managed
-  - grafana
-  - postgres
-```
+When PMM v3 starts, it will detect the need for migration and proceed with it. 
+
+5. Migrate the data
+The next step is migration of data from v2 to v3. This involves running an ansible migration playbook, that will migrate the data from v2 to v3. It will also create the necessary users and set the correct permissions on the files and directories. 
+
+The process is automatic and does not require any manual intervention. Upon completion, the UI will display a message with the migration summary.
+
+The migration process will also start all the processes that were running prior to it.
+
+6. Migrate PMM Clients
+PMM Clients version 2.x and earlier are not compatible with PMM Server v3.x. There is a good number of breaking changes in v3, which make it impossible to use v1/v2 clients along with PMM Server v3. 
+
+The migration of clients involves the installation of PMM Clients v3.x. The process is manual and requires the user to install the new clients on all monitored hosts. Once the client is installed, it should connect to PMM Server v3 and start sending data.
+
+7. Post-migration steps
+The last step is to perform some post-migration checks to be sure that the migration was successful. These checks are manual. They include:
+  - verification of PMM settings, users and permissions
+  - verification of data integrity and consistency
+  - verification of inventory to make sure all nodes, agents and services run as before
+
+We suggest to keep the old data for some time in case you need to roll PMM Server back to v2. Once you are sure that the migration was successful, you can remove the old data.
+
+
+## Migration steps for individual components
+The following sections describe the migration steps for individual components. They are meant to be used as a reference for the migration process so that the user can understand what is happening during the migration. 
+
+### Migration steps for PostgreSQL
+
+1. Stop the following processes:
+    - pmm-agent (will stop all exporters)
+    - pmm-managed
+    - grafana
+    - postgres
 
 2. Backup the databases
 ```
-  - /usr/pgsql-14/bin/pg_dump --host=/run/postgresql --username=postgres --file=/srv/backup/grafana.sql --dbname grafana
-  - /usr/pgsql-14/bin/pg_dump --host=/run/postgresql --username=postgres --file=/srv/backup/pmm-managed.sql --dbname pmm-managed
+  /usr/pgsql-14/bin/pg_dump --host=/run/postgresql --username=postgres --file=/srv/backup/grafana.sql --dbname grafana
+  /usr/pgsql-14/bin/pg_dump --host=/run/postgresql --username=postgres --file=/srv/backup/pmm-managed.sql --dbname pmm-managed
 ```
 
 3. Move the database directory to /srv/backup/posgres14
 ```
-  - mv /srv/posgres14 /srv/backup/
+  mv /srv/posgres14 /srv/backup/
 ```
 
-4. Recreate the following files or directories setting the ownership to `pmm` user
-```
-  - /srv/postgres14 (0700)
-  - /run/postgresql (0755)
-  - /srv/logs/postgresql14.log (0744)
-```
+4. Recreate the following files or directories setting the ownership to `pmm` user:
+    - /srv/postgres14 (0700)
+    - /run/postgresql (0755)
+    - /srv/logs/postgresql14.log (0744)
 
 5. Start a v3 instance
 Remember to pass the data volume to the instance so it can bootstrap the database. This is normally done by passing the `-v pmm-data:/srv` option to the `docker run` command, where `pmm-data` is the name of the volume.
 
-6. Shut down the following processes
-```
-  - pmm-agent
-  - pmm-managed
-  - grafana
-  - postgres
-```
+6. Shut down the following processes:
+    - pmm-agent
+    - pmm-managed
+    - grafana
+    - postgres
 
 7. Restore the databases from the backup
 ```
-  - /usr/pgsql-14/bin/pg_restore --host=/run/postgresql --username=postgres --file=/srv/backup/postgres.sql -S postgres
-  - /usr/pgsql-14/bin/pg_restore --host=/run/postgresql --username=postgres --file=/srv/backup/grafana.sql -S postgres
+  /usr/pgsql-14/bin/pg_restore --host=/run/postgresql --username=postgres --file=/srv/backup/postgres.sql -S postgres
+  /usr/pgsql-14/bin/pg_restore --host=/run/postgresql --username=postgres --file=/srv/backup/grafana.sql -S postgres
 ```
 
-8. Start the following processes
-```
-  - postgres
-  - grafana
-  - pmm-managed
-  - pmm-agent
-```
+8. Start the following processes:
+    - postgres
+    - grafana
+    - pmm-managed
+    - pmm-agent
+
+### Migration steps for ClickHouse
+
+1. Stop the following processes:
+    - grafana (its UI requires QAN API)
+    - qan-api2
+    - clickhouse
+
+2. Change ownership of the following directories (recursive) to `pmm` user:
+    - /srv/clickhouse (0755) - the data directory
+
+3. Start the following processes:
+    - clickhouse
+    - qan-api2
+    - grafana
+
+Please note, that data migration to v3 is done by PMM.
diff --git a/managed/services/supervisord/pmm_config.go b/managed/services/supervisord/pmm_config.go
index 07ac62556d..78940e13e2 100644
--- a/managed/services/supervisord/pmm_config.go
+++ b/managed/services/supervisord/pmm_config.go
@@ -133,6 +133,7 @@ redirect_stderr = true
 [program:clickhouse]
 priority = 2
 command = /usr/bin/clickhouse-server --config-file=/etc/clickhouse-server/config.xml
+user = pmm
 autorestart = true
 autostart = true
 startretries = 10
@@ -157,8 +158,6 @@ startretries = 10
 startsecs = 1
 stopsignal = TERM
 stopwaitsecs = 10
-; nginx.conf contains settings to log to /dev/sdtout and /dev/stderr,
-; which allows supervisord to manage the logs further.
 stdout_logfile = /srv/logs/nginx.log
 stdout_logfile_maxbytes = 50MB
 stdout_logfile_backups = 2
diff --git a/managed/services/supervisord/supervisord.go b/managed/services/supervisord/supervisord.go
index 8460060cfa..31c510f51d 100644
--- a/managed/services/supervisord/supervisord.go
+++ b/managed/services/supervisord/supervisord.go
@@ -607,22 +607,6 @@ func (s *Service) StopSupervisedService(serviceName string) error {
 //nolint:lll
 var templates = template.Must(template.New("").Option("missingkey=error").Parse(`
 
-{{define "prometheus"}}
-[program:prometheus]
-command = /bin/echo Prometheus is substituted by VictoriaMetrics
-user = pmm
-autorestart = false
-autostart = false
-startretries = 10
-startsecs = 1
-stopsignal = TERM
-stopwaitsecs = 300
-stdout_logfile = /srv/logs/prometheus.log
-stdout_logfile_maxbytes = 10MB
-stdout_logfile_backups = 3
-redirect_stderr = true
-{{end}}
-
 {{define "victoriametrics"}}
 {{- if not .ExternalVM }}
 [program:victoriametrics]
@@ -642,7 +626,6 @@ command =
 		--search.logSlowQueryDuration=30s
 		--search.maxQueryDuration=90s
 		--promscrape.streamParse=true
-		--prometheusDataPath=/srv/prometheus/data
 		--http.pathPrefix=/prometheus
 		--envflag.enable
 		--envflag.prefix=VM_
diff --git a/managed/testdata/supervisord.d/pmm-db_disabled.ini b/managed/testdata/supervisord.d/pmm-db_disabled.ini
index 703add6c97..4d7693ee99 100644
--- a/managed/testdata/supervisord.d/pmm-db_disabled.ini
+++ b/managed/testdata/supervisord.d/pmm-db_disabled.ini
@@ -27,6 +27,7 @@ redirect_stderr = true
 [program:clickhouse]
 priority = 2
 command = /usr/bin/clickhouse-server --config-file=/etc/clickhouse-server/config.xml
+user = pmm
 autorestart = true
 autostart = true
 startretries = 10
@@ -50,8 +51,6 @@ startretries = 10
 startsecs = 1
 stopsignal = TERM
 stopwaitsecs = 10
-; nginx.conf contains settings to log to /dev/sdtout and /dev/stderr,
-; which allows supervisord to manage the logs further.
 stdout_logfile = /srv/logs/nginx.log
 stdout_logfile_maxbytes = 50MB
 stdout_logfile_backups = 2
diff --git a/managed/testdata/supervisord.d/pmm-db_enabled.ini b/managed/testdata/supervisord.d/pmm-db_enabled.ini
index bcb0436863..891ae16f6e 100644
--- a/managed/testdata/supervisord.d/pmm-db_enabled.ini
+++ b/managed/testdata/supervisord.d/pmm-db_enabled.ini
@@ -51,6 +51,7 @@ redirect_stderr = true
 [program:clickhouse]
 priority = 2
 command = /usr/bin/clickhouse-server --config-file=/etc/clickhouse-server/config.xml
+user = pmm
 autorestart = true
 autostart = true
 startretries = 10
@@ -74,8 +75,6 @@ startretries = 10
 startsecs = 1
 stopsignal = TERM
 stopwaitsecs = 10
-; nginx.conf contains settings to log to /dev/sdtout and /dev/stderr,
-; which allows supervisord to manage the logs further.
 stdout_logfile = /srv/logs/nginx.log
 stdout_logfile_maxbytes = 50MB
 stdout_logfile_backups = 2
diff --git a/managed/testdata/supervisord.d/prometheus.ini b/managed/testdata/supervisord.d/prometheus.ini
deleted file mode 100644
index 8e097edd01..0000000000
--- a/managed/testdata/supervisord.d/prometheus.ini
+++ /dev/null
@@ -1,15 +0,0 @@
-; Managed by pmm-managed. DO NOT EDIT.
-
-[program:prometheus]
-command = /bin/echo Prometheus is substituted by VictoriaMetrics
-user = pmm
-autorestart = false
-autostart = false
-startretries = 10
-startsecs = 1
-stopsignal = TERM
-stopwaitsecs = 300
-stdout_logfile = /srv/logs/prometheus.log
-stdout_logfile_maxbytes = 10MB
-stdout_logfile_backups = 3
-redirect_stderr = true
diff --git a/managed/testdata/supervisord.d/victoriametrics.ini b/managed/testdata/supervisord.d/victoriametrics.ini
index 98b8929ed7..20d22230f5 100644
--- a/managed/testdata/supervisord.d/victoriametrics.ini
+++ b/managed/testdata/supervisord.d/victoriametrics.ini
@@ -17,7 +17,6 @@ command =
 		--search.logSlowQueryDuration=30s
 		--search.maxQueryDuration=90s
 		--promscrape.streamParse=true
-		--prometheusDataPath=/srv/prometheus/data
 		--http.pathPrefix=/prometheus
 		--envflag.enable
 		--envflag.prefix=VM_
diff --git a/update/ansible/playbook/tasks/files/pmm.ini b/update/ansible/playbook/tasks/files/pmm.ini
index 4c4c990bc0..0215623ccf 100644
--- a/update/ansible/playbook/tasks/files/pmm.ini
+++ b/update/ansible/playbook/tasks/files/pmm.ini
@@ -51,6 +51,7 @@ redirect_stderr = true
 [program:clickhouse]
 priority = 2
 command = /usr/bin/clickhouse-server --config-file=/etc/clickhouse-server/config.xml
+user = pmm
 autorestart = true
 autostart = true
 startretries = 10
@@ -73,8 +74,6 @@ startretries = 10
 startsecs = 1
 stopsignal = TERM
 stopwaitsecs = 10
-; nginx.conf contains settings to log to /dev/sdtout and /dev/stderr,
-; which allows supervisord to manage the logs further.
 stdout_logfile = /srv/logs/nginx.log
 stdout_logfile_maxbytes = 50MB
 stdout_logfile_backups = 2
diff --git a/update/ansible/playbook/tasks/roles/clickhouse/main.yml b/update/ansible/playbook/tasks/roles/clickhouse/main.yml
new file mode 100644
index 0000000000..bb2f660bfd
--- /dev/null
+++ b/update/ansible/playbook/tasks/roles/clickhouse/main.yml
@@ -0,0 +1,18 @@
+---
+# This role contains tasks executed during the migration of PMM Server from v2 to v3
+- name: Create a feature flag directory
+  file:
+    path: /srv/clickhouse/flags
+    state: directory
+    owner: pmm
+    group: pmm
+    mode: 0755
+    recurse: true
+
+- name: Create a feature flag
+  file:
+    path: /srv/clickhouse/flags/convert_ordinary_to_atomic
+    state: touch
+    owner: pmm
+    group: pmm
+    mode: 0755
diff --git a/update/ansible/playbook/tasks/roles/clickhouse/tasks/main.yml b/update/ansible/playbook/tasks/roles/clickhouse/tasks/main.yml
deleted file mode 100644
index 3d1a94f866..0000000000
--- a/update/ansible/playbook/tasks/roles/clickhouse/tasks/main.yml
+++ /dev/null
@@ -1,100 +0,0 @@
----
-- name: Find supervisord's socket
-  stat:
-    path: /var/run/supervisor/supervisor.sock
-  register: supervisord_socket
-
-- name: Stop and remove clickhouse before update | EL9
-  when:
-    - supervisord_socket.stat.exists
-    - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-    - ansible_distribution_major_version == '9'
-  command: /usr/local/bin/supervisorctl {{ item }} clickhouse
-  become: true
-  loop:
-    - stop
-    - remove
-
-- name: Remove old clickhouse packages
-  yum:
-    state: absent
-    name:
-      - percona-clickhouse-client
-      - percona-clickhouse-server
-      - percona-clickhouse-common-static
-      - percona-clickhouse-server-common
-      - clickhouse-client
-      - clickhouse-server
-      - clickhouse-client-21.3.14.1-2
-      - clickhouse-server-21.3.14.1-2
-      - clickhouse-client-21.3.20.1-2
-      - clickhouse-server-21.3.20.1-2
-
-- name: Disable clickhouse-server in systemd
-  when: not is_docker
-  service:
-    name: clickhouse-server
-    state: stopped
-    enabled: no
-  ignore_errors: true
-
-- name: Add ClickHouse repository
-  yum_repository:
-    name: clickhouse
-    description: ClickHouse - Stable Repository
-    baseurl: https://packages.clickhouse.com/rpm/stable/
-    gpgkey: https://packages.clickhouse.com/rpm/stable/repodata/repomd.xml.key
-    gpgcheck: no
-    repo_gpgcheck: yes
-    enabled: no
-
-- name: Install clickhouse package
-  yum:
-    name:
-      - clickhouse-client-{{ clickhouse_version }}
-      - clickhouse-server-{{ clickhouse_version }}
-      - clickhouse-common-static-{{ clickhouse_version }}
-    state: installed
-    enablerepo: clickhouse
-  ignore_errors: "{{ ansible_check_mode }}" # We don't have clickhouse repo when we run ansible with --check
-
-- name: Copy clickhouse config to image
-  copy:
-    src: config.xml
-    dest: /etc/clickhouse-server/config.xml
-    mode: 0600
-
-# We need to remove capabilities because we run PMM in an unprivileged container
-# But we run clickhouse as root user
-- name: Remove cap_ipc_lock from clickhouse binary
-  capabilities:
-    path: /usr/bin/clickhouse
-    state: absent
-    capability: "{{ item }}"
-  loop:
-    - cap_ipc_lock
-    - cap_sys_nice
-    - cap_net_admin
-
-- name: Remove clickhouse-odbc-bridge binary
-  file:
-    path: "/usr/bin/clickhouse-odbc-bridge"
-    state: absent
-
-- name: Change ownership of clickhouse directory
-  file:
-    path: /srv/clickhouse/
-    owner: root
-    group: root
-
-- name: Start clickhouse EL9
-  when: 
-    - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-    - ansible_distribution_major_version == '9'
-  supervisorctl:
-    name: clickhouse
-    state: "{{ item }}"
-  become: true
-  loop:
-    - present
-    - started
diff --git a/update/ansible/playbook/tasks/roles/dashboards_upgrade/tasks/main.yml b/update/ansible/playbook/tasks/roles/dashboards_upgrade/tasks/main.yml
index 308cb64d85..3e1745e998 100644
--- a/update/ansible/playbook/tasks/roles/dashboards_upgrade/tasks/main.yml
+++ b/update/ansible/playbook/tasks/roles/dashboards_upgrade/tasks/main.yml
@@ -19,7 +19,7 @@
 
 - name: Set permissions for the plugin directory
   file:
-    path: "/srv/grafana/plugins"
+    path: /srv/grafana/plugins
     state: directory
     owner: pmm
     group: pmm
diff --git a/update/ansible/playbook/tasks/roles/initialization/tasks/main.yml b/update/ansible/playbook/tasks/roles/initialization/tasks/main.yml
index b1e5908ced..3bf62e9910 100644
--- a/update/ansible/playbook/tasks/roles/initialization/tasks/main.yml
+++ b/update/ansible/playbook/tasks/roles/initialization/tasks/main.yml
@@ -30,6 +30,10 @@
   set_fact:
     pmm_image_version: "{{ image_version_file['content'] | b64decode | trim }}"
 
+- name: Set need_upgrade fact
+  set_fact:
+    need_upgrade: not pmm_current_version is version(pmm_image_version, '>=')
+
 - name: Print current PMM and image versions
   debug:
     msg: "Current version: {{ pmm_current_version }} Image Version: {{ pmm_image_version }}"
@@ -48,78 +52,20 @@
   copy:
     src: maintenance.html
     dest: /usr/share/pmm-server/maintenance/
+    owner: pmm
+    group: pmm
     mode: 0644
   when: docker_upgrade
 
-- name: Clean yum metadata
-  command: yum clean metadata
-  become: true
-  changed_when: True
-
-- name: Update (both)
-  block:
-    # This will implicitly create /srv/clickhouse
-    - name: Create clickhouse data directory
-      file:
-        path: "/srv/clickhouse/flags"
-        state: directory
-        owner: root
-        group: pmm
-        recurse: true
-
-    - name: Create empty file to convert clickhouse databases from ordinary to atomic
-      file:
-        path: "/srv/clickhouse/flags/convert_ordinary_to_atomic"
-        state: touch
-        owner: root
-        group: pmm
-
-    - name: Upgrade dashboards
-      include_role:
-        name: dashboards_upgrade
-  when: not pmm_current_version is version(pmm_image_version, '>=')
+- name: Upgrade dashboards
+  include_role:
+    name: dashboards_upgrade
+  when: need_upgrade
 
-- name: Create backup directory
-  file:
-    path: /srv/backup
-    state: directory
-
-- name: Create grafana DB
-  block:
-    - name: Create grafana database in postgres
-      postgresql_db:
-        name: grafana
-        state: present
-
-    - name: Create grafana user in postgres
-      postgresql_user:
-        db: grafana
-        name: grafana
-        password: grafana
-        priv: 'ALL'
-        expires: infinity
-        state: present
-      when: not ansible_check_mode
-  when: lookup('env','GF_DATABASE_URL') == '' and lookup('env','GF_DATABASE_HOST') == ''
-
-- name: Upgrade grafana database (Get the latest schema)
-  command: grafana cli --homepath=/usr/share/grafana admin data-migration encrypt-datasource-passwords
-  changed_when: True
-  when: lookup('env','PMM_TEST_HA_BOOTSTRAP') != '' and not pmm_current_version is version(pmm_image_version, '>=')
-
-- name: Create a working directory for VictoriaMetrics
-  file:
-    path: /srv/victoriametrics/data 
-    state: directory 
-    owner: pmm 
-    group: pmm
-
-- name: Create an empty configuration file for VictoriaMetrics
-  file: 
-    path: /etc/victoriametrics-promscrape.yml 
-    state: touch 
-    owner: pmm 
-    group: pmm
+- name: Clickhouse migration
+  include_role:
+    name: clickhouse
+  when: need_upgrade
 
 - name: Copy file with image version
   copy:
@@ -127,9 +73,14 @@
     dest: /srv/grafana/PERCONA_DASHBOARDS_VERSION
     owner: pmm
     group: pmm
-    mode: 0666
+    mode: 0644
     remote_src: yes
-  when: not pmm_current_version is version(pmm_image_version, '>=')
+  when: need_upgrade
+
+- name: Create backup directory
+  file:
+    path: /srv/backup
+    state: directory
 
 - name: Wait for PMM to be ready
   ansible.builtin.uri:
diff --git a/update/ansible/playbook/tasks/roles/postgres/tasks/main.yml b/update/ansible/playbook/tasks/roles/postgres/tasks/main.yml
deleted file mode 100644
index dd839571dd..0000000000
--- a/update/ansible/playbook/tasks/roles/postgres/tasks/main.yml
+++ /dev/null
@@ -1,110 +0,0 @@
----
-- name: Add PostgreSQL 14 YUM repository
-  yum_repository:
-    name: percona-ppg-14
-    description: PostgreSQL YUM repository - x86_64
-    baseurl: http://repo.percona.com/ppg-14/yum/release/9/RPMS/x86_64
-    gpgcheck: yes
-    enabled: yes
-    gpgkey: file:///etc/pki/rpm-gpg/PERCONA-PACKAGING-KEY
-
-# we need the old postgres binary for the upgrade process
-- name: Install Postgres
-  when:
-    - not ansible_check_mode
-  dnf:
-    name:
-      - percona-postgresql14-server
-      - percona-postgresql14-contrib
-      - percona-postgresql14
-      - python-psycopg2 # Python PostgreSQL database adapter
-    state: installed
-
-- name: Create a socket directory for Postgres
-  file:
-    path: /run/postgresql
-    state: directory
-    owner: pmm
-    group: pmm
-    mode: 0775  
-
-- name: Create Postgres log file
-  file:
-    path: /srv/logs/postgresql14.log
-    state: touch
-    force: yes
-    group: pmm
-    owner: pmm
-    mode: 0644
-
-- name: Check if Postgres 14 directory exists
-  stat:
-    path: /srv/postgres14
-  register: postgres_14
-
-# From this line on, the script will only run if pg14 is not installed,
-# which means that PMM is about to migrate from pg11 to pg14.
-# Therefore, the directory `/srv/postgres14` must not exist - it will be created.
-- name: Init postgres
-  block:
-    - name: Create Postgres data dir
-      file:
-        path: /srv/postgres14
-        state: directory
-        owner: pmm
-        group: pmm
-        mode: 0766
-
-    - name: Stop pmm-managed
-      supervisorctl:
-        name: pmm-managed
-        state: stopped
-      become: true
-      ignore_errors: True
-
-    - name: Initialize Postgres database
-      command: /usr/pgsql-14/bin/initdb -D /srv/postgres14 --auth=trust
-      become: true
-      become_user: pmm
-      become_method: su
-      ignore_errors: True
-
-    - name: Start Postgres database without supervisor
-      command: /usr/pgsql-14/bin/pg_ctl start -D /srv/postgres14 -o "-c logging_collector=off"
-      become: true
-      become_user: pmm
-      become_method: su
-
-    - name: Create postgres user
-      shell: /usr/pgsql-14/bin/createuser --echo --superuser --host=/run/postgresql --no-password postgres
-      become: true
-      become_user: pmm
-      become_method: su      
-
-    - name: Create pmm-managed database
-      postgresql_db:
-        name: pmm-managed
-        state: present
-
-    - name: Create pmm-managed user
-      postgresql_user:
-        db: pmm-managed
-        name: pmm-managed
-        password: "md5da757ec3e22c6d86a2bb8e70307fa937"
-        priv: "ALL"
-        expires: infinity
-        state: present
-
-    - name: Create pg_stat_statements extension
-      postgresql_ext:
-        db: postgres
-        name: pg_stat_statements
-        schema: public
-
-    - name: Stop Postgres 14 database without supervisor
-      command: /usr/pgsql-14/bin/pg_ctl stop -D /srv/postgres14
-      become: true
-      become_user: pmm
-      become_method: su
-
-  when: not postgres_14.stat.exists
diff --git a/update/ansible/playbook/tasks/roles/postgres/tasks/restore.yml b/update/ansible/playbook/tasks/roles/postgres/tasks/restore.yml
index 3d5a0b1fb8..f29b16e874 100644
--- a/update/ansible/playbook/tasks/roles/postgres/tasks/restore.yml
+++ b/update/ansible/playbook/tasks/roles/postgres/tasks/restore.yml
@@ -15,7 +15,7 @@
 
 - name: Set fact is_ha
   set_fact:
-    is_ha: lookup('env','GF_DATABASE_URL') == '' and lookup('env','GF_DATABASE_HOST') == ''
+    is_ha: not (lookup('env','GF_DATABASE_URL') == '' and lookup('env','GF_DATABASE_HOST') == '')
 
 - name: Restore the database
   block:
diff --git a/update/ansible/playbook/tasks/update.yml b/update/ansible/playbook/tasks/update.yml
index af2e68b41a..745d55cf6a 100644
--- a/update/ansible/playbook/tasks/update.yml
+++ b/update/ansible/playbook/tasks/update.yml
@@ -39,11 +39,6 @@
       tags:
         - skip_ansible_lint
 
-    - name: Create supervisord dir
-      file:
-        path: /etc/supervisord.d/
-        state: directory
-
     - name: Upgrade supervisor config
       copy:
         src: pmm.ini
@@ -73,14 +68,6 @@
         path: /etc/supervisord.d/supervisord.ini
       when: not is_docker
 
-    - name: Create grafana config
-      include_role:
-        name: grafana
-
-    - name: Install postgres
-      include_role:
-        name: postgres
-
     # Set forking type to 'simple'
     - name: Configure systemd
       when: not is_docker
@@ -176,14 +163,6 @@
     - name: Wait for pmm-managed
       pause: seconds=10
 
-    - name: Install nginx
-      include_role:
-        name: nginx
-
-    - name: Install clickhouse
-      include_role:
-        name: clickhouse
-
     # Fix things that should be fixed before restarts.
 
     - name: Stop systemd pmm-agent service, if running
@@ -201,12 +180,6 @@
         mode: 0755
       when: not is_docker
 
-    - name: Create change-admin-password command
-      copy:
-        src: change-admin-password
-        dest: /usr/local/sbin/change-admin-password
-        mode: 0755
-
     # https://jira.percona.com/browse/PMM-5271
     - name: Check volume size
       when: not is_docker

From 0c90f573d6b0b3b74e740c8e83284e9636b798db Mon Sep 17 00:00:00 2001
From: Alex Demidoff <alexander.demidoff@percona.com>
Date: Mon, 18 Dec 2023 16:21:48 +0300
Subject: [PATCH 4/4] PMM-12530 run supervisor as non root (#2643)

* PMM-12530 remove clickhouse upgrade role

* PMM-12530 set pmm user for supervisord jobs

* PMM-12530 move supervisord configs to the role

* PMM-12530 move non-docker tasks to their own playbook

* PMM-12530 fix wrong copy of grafana.ini

* PMM-12530 fix wrong description

* PMM-12530 a few description fixes

* PMM-12530 fix wrong task syntax

* PMM-12530 use loop instead of with_items

* PMM-12530 use a different become method for supervisorctl

* PMM-12530 use a command to restart grafana

* PMM-12530 use an interim Dockerfile

* PMM-12530 update the port in the docs

* PMM-12530 remove the service task

* PMM-12530 use a base Dockerfile

* PMM-12530 remove user creation for non-docker

* PMM-12530 provision deps for the base image

* PMM-12530 clean up supervisord role

* PMM-12530 put back dummy creds

* PMM-12530 clean up ansible scripts

* PMM-12530 change ownership of the distro file

* PMM-12530 update the entrypoint

* PMM-12530 remove support for v1 paths

* PMM-12530 remove supervisord.service

* PMM-12530 add a config for ansible

* PMM-12530 fix permissions for maintenance file

* PMM-12530 move ansible to the build directory

* PMM-12530 switch to pmm user

* PMM-12530 clean up Dockerfile

* PMM-12530 optimize entrypoint and dir creation tasks

* PMM-12530 fix nginx failures

* PMM-12530 fix the syntax error

* PMM-12530 remove comments

* PMM-12530 update the easy install script

* PMM-12530 move ansible lint checks to a proper Makefile

* PMM-12530 fix wrong syntaxt in docker volume

* PMM-12530 update the task description

* PMM-12530 send nginx logs to /dev/std{err,out}
---
 README.md                                     |   4 +-
 api-tests/server/version_test.go              |   1 -
 api/nginx/nginx.conf                          |   2 +-
 build/Makefile                                |  33 ++--
 {update => build/ansible}/.ansible-lint       |   0
 build/ansible/ansible.cfg                     |  11 ++
 .../pmm-docker}/files/maintenance.html        |   0
 .../ansible/pmm-docker}/init.yml              |  10 +-
 .../ansible/pmm-docker}/update.yml            | 184 ++++--------------
 .../ansible/pmm}/create-lvm.yml               |   1 +
 .../ansible/pmm}/files/cloud.cfg              |   0
 .../ansible/pmm}/files/resize-xfs-lvm         |   0
 .../ansible/pmm/files}/supervisord.service    |   0
 build/ansible/pmm/post-build-actions.yml      | 115 ++++-------
 build/ansible/pmm/systemd.yml                 |  43 ++++
 .../ansible/roles/dashboards}/tasks/main.yml  |  22 +--
 build/ansible/roles/grafana/tasks/main.yml    |   2 +-
 .../roles/initialization/tasks/main.yml       |  31 +--
 .../ansible/roles/nginx/files/conf.d/pmm.conf |   8 +-
 build/ansible/roles/nginx/files/nginx.conf    |   4 +-
 build/ansible/roles/nginx/tasks/main.yml      |  13 +-
 build/ansible/roles/pmm-images/tasks/main.yml |  95 ++++-----
 .../ansible}/roles/postgres/tasks/backup.yml  |  16 +-
 .../ansible}/roles/postgres/tasks/restore.yml |   9 +-
 .../files/supervisord.service                 |  15 --
 .../files/grafana.ini                         |   0
 .../ansible/roles/supervisord}/files/pmm.ini  |   8 +-
 .../roles/supervisord}/files/supervisord.ini  |   4 +-
 .../tasks/main.yml                            |  50 ++---
 build/docker/server/Dockerfile                |   7 +-
 build/docker/server/Dockerfile.el9            |  18 +-
 build/docker/server/README.md                 |   4 +-
 build/docker/server/entrypoint.sh             |  39 ++--
 build/packer/pmm.el9.json                     |  18 +-
 build/packer/pmm.json                         |   4 +-
 get-pmm.sh                                    |  38 ++--
 managed/services/grafana/auth_server.go       |   3 +-
 managed/services/grafana/auth_server_test.go  |   3 +-
 managed/services/supervisord/pmm_config.go    |   7 +-
 .../supervisord.d/pmm-db_disabled.ini         |   7 +-
 .../testdata/supervisord.d/pmm-db_enabled.ini |   7 +-
 managed/utils/envvars/parser.go               |   2 +-
 qan-api2/{.github => }/CONTRIBUTING.md        |   0
 update/.devcontainer/install-dev-tools.sh     |   6 +-
 update/Makefile                               |   5 -
 .../ansible/{playbook/templates => }/.gitkeep |   0
 .../playbook/tasks/roles/clickhouse/main.yml  |  18 --
 47 files changed, 355 insertions(+), 512 deletions(-)
 rename {update => build/ansible}/.ansible-lint (100%)
 create mode 100644 build/ansible/ansible.cfg
 rename {update/ansible/playbook/tasks => build/ansible/pmm-docker}/files/maintenance.html (100%)
 rename {update/ansible/playbook/tasks => build/ansible/pmm-docker}/init.yml (58%)
 rename {update/ansible/playbook/tasks => build/ansible/pmm-docker}/update.yml (50%)
 rename {update/ansible/playbook/tasks => build/ansible/pmm}/create-lvm.yml (95%)
 rename {update/ansible/playbook/tasks => build/ansible/pmm}/files/cloud.cfg (100%)
 rename {update/ansible/playbook/tasks => build/ansible/pmm}/files/resize-xfs-lvm (100%)
 rename {update/ansible/playbook/tasks => build/ansible/pmm/files}/supervisord.service (100%)
 create mode 100644 build/ansible/pmm/systemd.yml
 rename {update/ansible/playbook/tasks/roles/dashboards_upgrade => build/ansible/roles/dashboards}/tasks/main.yml (58%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/initialization/tasks/main.yml (68%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/postgres/tasks/backup.yml (85%)
 rename {update/ansible/playbook/tasks => build/ansible}/roles/postgres/tasks/restore.yml (90%)
 delete mode 100644 build/ansible/roles/supervisord-init/files/supervisord.service
 rename build/ansible/roles/{pmm-images => supervisord}/files/grafana.ini (100%)
 rename {update/ansible/playbook/tasks => build/ansible/roles/supervisord}/files/pmm.ini (93%)
 rename {update/ansible/playbook/tasks => build/ansible/roles/supervisord}/files/supervisord.ini (85%)
 rename build/ansible/roles/{supervisord-init => supervisord}/tasks/main.yml (62%)
 rename qan-api2/{.github => }/CONTRIBUTING.md (100%)
 rename update/ansible/{playbook/templates => }/.gitkeep (100%)
 delete mode 100644 update/ansible/playbook/tasks/roles/clickhouse/main.yml

diff --git a/README.md b/README.md
index 6d9fe88694..6419a781c3 100644
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ $ docker volume create pmm-data
 3. Run PMM server container
 ```bash
 $ docker run --detach --restart always \
---publish 443:443 \
+--publish 443:8443 \
 --volume pmm-data:/srv \
 --name pmm-server \
 percona/pmm-server:3
@@ -99,4 +99,4 @@ As a general rule of thumb, please try to create bug reports that are:
 
 ## Licensing
 
-Percona is dedicated to **keeping open source open**. Wherever possible, we strive to include permissive licensing for both our software and documentation. For this project, we are using the [GNU AGPLv3](https://github.com/percona/pmm/blob/main/LICENSE) license.
+Percona is dedicated to **keeping open source open**. Wherever possible, we strive to include permissive licensing for both our software and documentation. For this project, we are using the [GNU AGPLv3](./LICENSE) license.
diff --git a/api-tests/server/version_test.go b/api-tests/server/version_test.go
index 55294af65c..b0e2e1c141 100644
--- a/api-tests/server/version_test.go
+++ b/api-tests/server/version_test.go
@@ -34,7 +34,6 @@ import (
 func TestVersion(t *testing.T) {
 	t.Parallel()
 	paths := []string{
-		"managed/v1/version",
 		"v1/version",
 	}
 	for _, path := range paths {
diff --git a/api/nginx/nginx.conf b/api/nginx/nginx.conf
index 2e385864ba..730479d2a9 100644
--- a/api/nginx/nginx.conf
+++ b/api/nginx/nginx.conf
@@ -3,7 +3,7 @@
 
 daemon off;
 
-error_log stderr info;
+error_log /dev/stderr info;
 # error_log stderr debug;
 
 events {
diff --git a/build/Makefile b/build/Makefile
index 4bf4ea0d83..8d87e996e2 100644
--- a/build/Makefile
+++ b/build/Makefile
@@ -66,36 +66,39 @@ pmm-ami:
 						-var 'pmm_client_repo_name=percona-experimental-x86_64' \
 						-var 'pmm_server_repo=experimental' \
 						-only amazon-ebs -color=false \
-                                                packer/pmm.json
+						packer/pmm.json
 
 pmm-ami-rc:
 	docker run --rm -v ${HOME}/.aws:/root/.aws -v `pwd`:/build -w /build hashicorp/packer:${PACKER_VERSION} \
 			build -var 'pmm_client_repos=original testing' \
-				  	-var 'pmm_client_repo_name=percona-testing-x86_64' \
-					-var 'pmm_server_repo=testing' \
-				  	-only amazon-ebs '-color=false' \
-                                        packer/pmm.json
+						-var 'pmm_client_repo_name=percona-testing-x86_64' \
+						-var 'pmm_server_repo=testing' \
+						-only amazon-ebs '-color=false' \
+						packer/pmm.json
 
 pmm-ami-el9:
 	mkdir -p update && \
-	cp -r ../update/ansible/playbook/* update/ && \
-		sed -i 's|become_method: su|become_method: sudo|g' update/tasks/roles/postgres/tasks/main.yml && \
+		sed -i 's|become_method: su|become_method: sudo|g' ./roles/postgres/tasks/main.yml && \
 		docker run --rm -v ${HOME}/.aws:/root/.aws -v `pwd`:/build -w /build hashicorp/packer:${PACKER_VERSION} \
 		build -var 'pmm_client_repos=original experimental' \
 					-var 'pmm_client_repo_name=percona-experimental-x86_64' \
 					-var 'pmm_server_repo=experimental' \
 					-only amazon-ebs -color=false \
-                                        packer/pmm.el9.json
+					packer/pmm.el9.json
 
 pmm-ami-el9-rc:
 	mkdir -p update && \
-			cp -r ../update/ansible/playbook/* update/ && \
-			sed -i 's|become_method: su|become_method: sudo|g' update/tasks/roles/postgres/tasks/main.yml && \
-			docker run --rm -v ${HOME}/.aws:/root/.aws -v `pwd`:/build -w /build hashicorp/packer:${PACKER_VERSION} \
-			build -var 'pmm_client_repos=original testing' \
-				  	-var 'pmm_client_repo_name=percona-testing-x86_64' \
+		sed -i 's|become_method: su|become_method: sudo|g' ./roles/postgres/tasks/main.yml && \
+		docker run --rm -v ${HOME}/.aws:/root/.aws -v `pwd`:/build -w /build hashicorp/packer:${PACKER_VERSION} \
+		build -var 'pmm_client_repos=original testing' \
+					-var 'pmm_client_repo_name=percona-testing-x86_64' \
 					-var 'pmm_server_repo=testing' \
-				  	-only amazon-ebs '-color=false' \
-                                        packer/pmm.el9.json
+					-only amazon-ebs '-color=false' \
+					packer/pmm.el9.json
 
 ## ----------------- PACKER ------------------
+
+check:                          ## Run required checkers and linters
+	ansible-playbook --syntax-check ansible/pmm-docker/update.yml
+	ansible-playbook --check ansible/pmm-docker/update.yml
+	ansible-lint ansible/pmm-docker/update.yml
diff --git a/update/.ansible-lint b/build/ansible/.ansible-lint
similarity index 100%
rename from update/.ansible-lint
rename to build/ansible/.ansible-lint
diff --git a/build/ansible/ansible.cfg b/build/ansible/ansible.cfg
new file mode 100644
index 0000000000..60507f8031
--- /dev/null
+++ b/build/ansible/ansible.cfg
@@ -0,0 +1,11 @@
+# This is the default ansible.cfg file.
+# It necessary for ansible to work properly when it acts as 'pmm' user.
+# Otherwise, it will fail with 'Permission denied' error since the default paths are '/root/.ansible/tmp'
+# Ref: https://github.com/ansible/ansible/blob/stable-2.9/examples/ansible.cfg
+[defaults]
+
+remote_tmp     = /tmp
+local_tmp      = /tmp
+
+# additional paths to search for roles in, colon separated
+roles_path     = /opt/ansible/roles
diff --git a/update/ansible/playbook/tasks/files/maintenance.html b/build/ansible/pmm-docker/files/maintenance.html
similarity index 100%
rename from update/ansible/playbook/tasks/files/maintenance.html
rename to build/ansible/pmm-docker/files/maintenance.html
diff --git a/update/ansible/playbook/tasks/init.yml b/build/ansible/pmm-docker/init.yml
similarity index 58%
rename from update/ansible/playbook/tasks/init.yml
rename to build/ansible/pmm-docker/init.yml
index 5c27f29b2d..4eba8ceb66 100644
--- a/update/ansible/playbook/tasks/init.yml
+++ b/build/ansible/pmm-docker/init.yml
@@ -2,8 +2,10 @@
 # This playbook contains tasks executed during initialization PMM Server
 - hosts: localhost
   become: true
+  become_method: su
+  become_user: pmm
   gather_facts: true
-  tasks:
-    - name: Run initialization role
-      include_role:
-        name: initialization
+
+
+  roles:
+    - initialization
diff --git a/update/ansible/playbook/tasks/update.yml b/build/ansible/pmm-docker/update.yml
similarity index 50%
rename from update/ansible/playbook/tasks/update.yml
rename to build/ansible/pmm-docker/update.yml
index 745d55cf6a..8189a721dd 100644
--- a/update/ansible/playbook/tasks/update.yml
+++ b/build/ansible/pmm-docker/update.yml
@@ -9,19 +9,19 @@
     PATH: /usr/local/bin:{{ ansible_env.PATH }}
 
   pre_tasks:
-    - name: detect /srv/pmm-distribution
+    - name: Detect /srv/pmm-distribution
       stat:
         path: /srv/pmm-distribution
       no_log: true
       register: srv_pmm_distribution
 
-    - name: detect containers
+    - name: Detect container environment
       set_fact:
         is_docker: '{{ lookup("file", "/srv/pmm-distribution") == "docker" }}'
       no_log: true
       when: srv_pmm_distribution.stat.exists
 
-    - name: force container
+    - name: Set the variable to true if undefined
       set_fact:
         is_docker: true
       when: is_docker is undefined
@@ -31,19 +31,10 @@
       copy:
         src: maintenance.html
         dest: /usr/share/pmm-server/maintenance/
+        owner: pmm
+        group: pmm
         mode: 0644
 
-    - name: Cleanup yum metadata
-      command: yum clean metadata
-      become: true
-      tags:
-        - skip_ansible_lint
-
-    - name: Upgrade supervisor config
-      copy:
-        src: pmm.ini
-        dest: /etc/supervisord.d/pmm.ini
-
     # restart pmm-managed-init and pmm-managed first as they may update supervisord configuration on start
     - name: Generate new supervisor config
       command: pmm-managed-init
@@ -57,59 +48,17 @@
         option: autostart
         value: "false"
 
-    - name: Upgrade supervisord config
-      copy:
-        src: supervisord.ini
-        dest: /etc/supervisord.d/supervisord.ini
-
-    - name: Remove supervisord
-      file:
-        state: absent
-        path: /etc/supervisord.d/supervisord.ini
-      when: not is_docker
-
-    # Set forking type to 'simple'
-    - name: Configure systemd
-      when: not is_docker
-      copy:
-        src: supervisord.service
-        dest: /usr/lib/systemd/system/supervisord.service
-        mode: 0644
-
-    - name: Remove old supervisord service configuration
-      when: not is_docker
-      file:
-        path: /etc/systemd/system/supervisord.service
-        state: absent
-
-    # Start the services
-    - name: Enable supervisord        | Make the service persist between reboots
-      when: not is_docker
-      systemd:
-        name: supervisord
-        enabled: yes
-
-    - name: Supervisord start        | Start supervisord service for AMI/OVF
-      when: not is_docker
-      systemd:
-        name: supervisord
-        state: started # supervisord may already be running
-        daemon_reload: yes
-
     - name: Check that supervisor socket exists
       stat:
         path: /run/supervisor/supervisor.sock
-      register: is_supervisor_running
-
-    - name: Start supervisord for docker
-      when: 
-        - is_docker 
-        - not is_supervisor_running.stat.exists
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+      register: supervisor_socket
+
+    # During build time, this will be the first start of supervisord.
+    - name: Start supervisord
+      when: not supervisor_socket.stat.exists
       shell: supervisord -c /etc/supervisord.conf &
 
-    - name: Wait until postgres port is present before continuing
+    - name: Wait until postgres port is present
       wait_for:
         host: localhost
         port: 5432
@@ -118,80 +67,38 @@
     - name: Run initialization playbook
       include_role:
         name: initialization
-      vars:
-        ui_upgrade: True
-
-    - name: Enable crond service
-      when: not is_docker
-      service:
-        name: crond
-        state: started
-        enabled: yes
-
-    - name: Increase number of open files for jobs
-      when: not is_docker
-      ini_file:
-        dest: /etc/supervisord.conf
-        section: supervisord
-        option: minfds
-        value: "800000"
 
     # See https://github.com/Supervisor/supervisor/issues/1264 for explanation
     # why we do reread + stop/remove/add instead of using supervisorctl Ansible module.
-    - name: Reread supervisord configuration EL9
-      when:
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+    - name: Reread supervisord configuration
       command: supervisorctl reread
+      become: true
+      become_user: pmm
+      become_method: su
       register: reread_result
       changed_when: "'No config updates to processes' not in reread_result.stdout"
 
     - name: Check reread results
       debug: var=reread_result.stdout_lines
 
-    - name: Restart pmm-managed EL9
-      when: 
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
-      command: supervisorctl {{ item }} pmm-managed
+    - name: Restart pmm-managed
+      command: "supervisorctl {{ item }} pmm-managed"
       become: true
-      changed_when: true
-      with_items: ["stop", "remove", "add"]
-
-    # give pmm-managed time to update supervisord configuration,
+      become_user: pmm
+      become_method: su
+      loop: 
+        - stop
+        - remove
+        - add
+
+    # Give pmm-managed time to update supervisord configuration,
     # and give update UI time to catch up after pmm-managed restart
     - name: Wait for pmm-managed
       pause: seconds=10
 
     # Fix things that should be fixed before restarts.
 
-    - name: Stop systemd pmm-agent service, if running
-      systemd:
-        name: pmm-agent
-        state: stopped
-        enabled: no
-      when: not is_docker
-
-    # https://jira.percona.com/browse/PMM-9298
-    - name: Copy rezise-xfs file for lvm
-      copy:
-        src: resize-xfs-lvm
-        dest: /var/lib/cloud/scripts/per-boot/resize-xfs
-        mode: 0755
-      when: not is_docker
-
-    # https://jira.percona.com/browse/PMM-5271
-    - name: Check volume size
-      when: not is_docker
-      replace:
-        dest: /var/lib/cloud/scripts/per-boot/resize-xfs
-        regexp: "set -o errexit"
-        replace: ""
-
-    - name: Reread supervisord configuration again EL9
-      when: 
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+    - name: Reread supervisord configuration again
       command: supervisorctl reread
       register: reread_result
       changed_when: "'No config updates to processes' not in reread_result.stdout"
@@ -199,14 +106,12 @@
     - name: Check reread results
       debug: var=reread_result.stdout_lines
 
-    - name: Restart services EL9
-      when: 
-        - is_docker
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+    - name: Restart services
       command: supervisorctl {{ item.1 }} {{ item.0 }}
       become: true
-      changed_when: true
+      become_user: pmm
+      become_method: su
+      # changed_when: true
       with_nested:
         - - nginx
           - grafana
@@ -237,31 +142,27 @@
         query: UPDATE "user" SET id='1' WHERE login='admin';
       when: not ansible_check_mode
 
-    # we need to put this step as one of the last steps, because it removes pmm.ini
-    - name: Remove redundant packages
-      yum:
-        state: absent
-        name:
-          - logrotate # https://jira.percona.com/browse/PMM-7627
+    # - name: Remove redundant packages
+    #   yum:
+    #     state: absent
+    #     name:
+    #       - logrotate # https://jira.percona.com/browse/PMM-7627
 
     # Regenerating pmm.ini and enabling pmm-update-perform-init
     - name: Generate new supervisor config
       command: pmm-managed-init
+      become: true
+      become_user: pmm
+      become_method: su      
       register: managed_init_result
       changed_when: True
 
-    - name: Reread pmm-update-perform-init supervisor config EL9
-      when:
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+    - name: Reread pmm-update-perform-init supervisor config
       command: supervisorctl reread
       register: reread_init__result
       changed_when: "'No config updates to processes' not in reread_init__result.stdout"
 
-    - name: Update/restart other services EL9
-      when:
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+    - name: Update/restart other services
       command: supervisorctl update
       register: update_result
       changed_when: "'updated' in update_result.stdout"
@@ -281,10 +182,7 @@
 
     # SIGUSR2 is sent to supervisord by pmm-managed right before the update for logging to work correctly.
     # We use that fact to show what was restarted during the update.
-    - name: Get supervisord logs EL9
-      when: 
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+    - name: Get supervisord logs
       shell: supervisorctl maintail -100000 | tac | awk '!flag; /received SIGUSR2/{flag = 1};' | tac
       register: maintail_result
       changed_when: False
diff --git a/update/ansible/playbook/tasks/create-lvm.yml b/build/ansible/pmm/create-lvm.yml
similarity index 95%
rename from update/ansible/playbook/tasks/create-lvm.yml
rename to build/ansible/pmm/create-lvm.yml
index 93a072b38f..0126562c0a 100644
--- a/update/ansible/playbook/tasks/create-lvm.yml
+++ b/build/ansible/pmm/create-lvm.yml
@@ -1,3 +1,4 @@
+# TODO: This role seems to no longer be used. Verify and remove.
 - hosts: localhost
   become: true
   gather_facts: true
diff --git a/update/ansible/playbook/tasks/files/cloud.cfg b/build/ansible/pmm/files/cloud.cfg
similarity index 100%
rename from update/ansible/playbook/tasks/files/cloud.cfg
rename to build/ansible/pmm/files/cloud.cfg
diff --git a/update/ansible/playbook/tasks/files/resize-xfs-lvm b/build/ansible/pmm/files/resize-xfs-lvm
similarity index 100%
rename from update/ansible/playbook/tasks/files/resize-xfs-lvm
rename to build/ansible/pmm/files/resize-xfs-lvm
diff --git a/update/ansible/playbook/tasks/supervisord.service b/build/ansible/pmm/files/supervisord.service
similarity index 100%
rename from update/ansible/playbook/tasks/supervisord.service
rename to build/ansible/pmm/files/supervisord.service
diff --git a/build/ansible/pmm/post-build-actions.yml b/build/ansible/pmm/post-build-actions.yml
index e2cdbfdcd8..038e951b6a 100644
--- a/build/ansible/pmm/post-build-actions.yml
+++ b/build/ansible/pmm/post-build-actions.yml
@@ -1,67 +1,32 @@
 ---
-# This playbook is used as a post build actions for all pmm images (AMI/OVF/Docker).
+# This playbook runs post build tasks for all pmm distributions (AMI/OVF/Docker/Digitalocean).
 
-- hosts: localhost
+- hosts: all
   become: yes
   gather_facts: yes
   vars:
     pmm_client_repos: "original testing"
     pmm_client_repos_final: "original release"
+    pmm_server_distribution: "docker"
 
   tasks:
-    # pmm-managed checks that if /srv/pmm-distribution exist, it contains "docker", "ovf", or "ami" (all lowercase)
-    - name: Detect distribution        | Create '/srv/pmm-distribution' file for Docker
-      when: ansible_virtualization_type == "docker"
+    # pmm-managed checks that if /srv/pmm-distribution exists, it contains "docker", "ovf", "ami" or "digitalocean" - all lowercase.
+    # TODO: refactor the build pipelines to call post-build.yml with the distribution name provided in the variable (above).
+    # https://jira.percona.com/browse/PMM-4991
+    - name: Create a distribution file for Docker
       copy:
-        content: "docker"
-        dest: /srv/pmm-distribution
-
-    - name: Detect distribution        | Create '/srv/pmm-distribution' file for OVF
-      when: ansible_virtualization_type == "virtualbox"
-      copy:
-        content: "ovf"
-        dest: /srv/pmm-distribution
-
-    # TODO https://jira.percona.com/browse/PMM-4991
-    - name: Detect distribution        | Create '/srv/pmm-distribution' file for AMI
-      when: >
-        ( ansible_virtualization_type == "xen"
-        or ansible_virtualization_type == "kvm" )
-        and ansible_system_vendor != "DigitalOcean"
-      copy:
-        content: "ami"
-        dest: /srv/pmm-distribution
-
-    - name: Detect distribution        | Create '/srv/pmm-distribution' file for DigitalOcean
-      when: ansible_system_vendor == "DigitalOcean"
-      copy:
-        content: "digitalocean"
+        content: "{{ pmm_server_distribution}}"
         dest: /srv/pmm-distribution
+        owner: pmm
+        group: pmm
 
-    - name: Disable repo               | Disable testing repo for pmm-client
+    - name: Disable testing repo for pmm-client
       command: percona-release disable {{ pmm_client_repos }}
 
-    - name: Enable repo                | Enable release repo for pmm-client
+    - name: Enable release repo for pmm-client
       command: percona-release enable {{ pmm_client_repos_final }}
 
-    - name: Install glibc-langpack-en  | EL9
-      dnf:
-        name: glibc-langpack-en
-        state: present
-        update_cache: yes
-      when:
-        - ansible_virtualization_type != "docker"
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
-
-    - name: Set locale to en_US.utf8   | EL9
-      command: localectl set-locale LANG=en_US.utf8
-      when:
-        - ansible_virtualization_type != "docker"
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
-
-    - name: pmm-agent                  | Setup pmm-agent
+    - name: Set up pmm-agent
       command: >
         pmm-agent setup
         --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml
@@ -70,29 +35,26 @@
         --server-address=127.0.0.1:8443
         --server-insecure-tls
 
-    - name: Reread supervisord configuration EL9
-      when:
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
-      command: /usr/local/bin/supervisorctl reread
+    - name: Reread supervisord configuration
+      command: supervisorctl reread
+      become: true
+      become_user: pmm
+      become_method: su      
       register: reread_result
       changed_when: "'No config updates to processes' not in reread_result.stdout"
 
     - name: See which service configs changed
       debug: var=reread_result.stdout_lines
 
-    - name: Stop pmm-managed before deleting the database EL9
-      when:
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+    - name: Stop pmm-managed before deleting the database
       supervisorctl:
         name: pmm-managed
         state: stopped
+      become: true
+      become_user: pmm
+      become_method: su
 
-    - name: Remove pmm-managed database EL9
-      when: 
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+    - name: Remove pmm-managed database
       postgresql_db:
         login_user: postgres
         name: pmm-managed
@@ -104,16 +66,14 @@
         name: pmm-managed
         state: absent
 
-    - name: Stop supervisord service for AMI/OVF
-      when: ansible_virtualization_type != "docker"
-      service: name=supervisord state=stopped enabled=yes
-
     - name: Stop supervisord service for docker
-      when: ansible_virtualization_type == "docker"
-      shell: supervisorctl shutdown
+      command: supervisorctl shutdown
+      become: true
+      become_user: pmm
+      become_method: su
 
     - name: Cleanup dnf cache
-      shell: dnf clean all
+      command: dnf clean all
 
     # "yum clean all" function will only remove cache from configured yum repositories
     # Details: https://bugzilla.redhat.com/show_bug.cgi?id=1357083
@@ -123,8 +83,10 @@
         path: /var/cache/dnf
 
     - name: Cleanup build logs and data
-      file: path={{ item }} state=absent
-      with_items:
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
         - /srv/logs
         - /tmp/RPMS
         - /var/log/dnf.log
@@ -141,6 +103,7 @@
       loop:
         - postgres
         - clickhouse
+        - nginx
 
     - name: Clean Clickhouse dir
       shell: find /srv/clickhouse -mindepth 1 -maxdepth 1 -print0 | xargs -0 rm -rf --
@@ -158,7 +121,7 @@
         owner: pmm
         group: pmm
         mode: 0775
-      with_items:
+      loop:
         - absent
         - directory
 
@@ -170,11 +133,11 @@
         group: pmm
         mode: 0775
 
-    # This is a temp workaround to make sure that the file exists and has the correct permissions.
-    # TODO: Remove, as it won't be needed once the main process is run as `pmm` user.
-    - name: Create nginx log file
+    # nginx needs to be able to write to /var/lib/nginx, but it's owned by root.
+    - name: Change ownership of nginx dirs
       file:
-        path: /srv/logs/nginx.log 
-        state: touch
+        path: /var/lib/nginx
+        state: directory
         group: pmm
         owner: pmm
+        recurse: yes
diff --git a/build/ansible/pmm/systemd.yml b/build/ansible/pmm/systemd.yml
new file mode 100644
index 0000000000..8d16d20a2f
--- /dev/null
+++ b/build/ansible/pmm/systemd.yml
@@ -0,0 +1,43 @@
+---
+# This playbook contains tasks executed during PMM Server update in non-docker environments.
+# TODO: refactor from supervisord to systemd if necessary.
+# NOTE: it's currently unused, just a placeholder for future use.
+- hosts: all
+  become: true
+  remote_user: root
+  gather_facts: true
+
+  # TODO: replace supervisord.service with pmm.service
+  tasks:
+    # Note: forking type must be set to 'simple'
+    - name: Configure supervisord
+      copy:
+        src: supervisord.service
+        dest: /usr/lib/systemd/system/supervisord.service
+        mode: 0644
+
+    # Start the services
+    - name: Enable supervisord service to persist between reboots
+      systemd:
+        name: supervisord
+        enabled: yes
+
+    - name: Start supervisord service for AMI/OVF
+      systemd:
+        name: supervisord
+        state: started # supervisord may already be running
+        daemon_reload: yes
+
+    - name: Enable crond service
+      service:
+        name: crond
+        state: started
+        enabled: yes
+
+    # https://jira.percona.com/browse/PMM-9298
+    - name: Copy rezise-xfs file for lvm
+      copy:
+        src: resize-xfs-lvm
+        dest: /var/lib/cloud/scripts/per-boot/resize-xfs
+        mode: 0755
+        force: true
diff --git a/update/ansible/playbook/tasks/roles/dashboards_upgrade/tasks/main.yml b/build/ansible/roles/dashboards/tasks/main.yml
similarity index 58%
rename from update/ansible/playbook/tasks/roles/dashboards_upgrade/tasks/main.yml
rename to build/ansible/roles/dashboards/tasks/main.yml
index 3e1745e998..e0c51bd75e 100644
--- a/update/ansible/playbook/tasks/roles/dashboards_upgrade/tasks/main.yml
+++ b/build/ansible/roles/dashboards/tasks/main.yml
@@ -1,12 +1,12 @@
 ---
 - name: Get plugin list
-  register: plugin_list
   find:
     paths: /usr/share/percona-dashboards/panels/
     depth: 2
     file_type: directory
+  register: plugin_list
 
-- name: Delete redundant dist folders
+- name: Delete older plugins
   file:
     path: "/srv/grafana/plugins/{{ item['path'].split('/')[-1] }}"
     state: absent
@@ -26,14 +26,12 @@
     mode: 0775
     recurse: yes
 
-- name: Restart grafana with new plugins EL9
-  supervisorctl:
-    name: grafana
-    state: restarted
+- name: Restart grafana with new plugins
+  shell: "supervisorctl {{ item }} grafana"
   become: true
-  when: 
-    - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-    - ansible_distribution_major_version == '9'
-  ignore_errors: true
-  # TODO: fix the race condition.
-  # We generate grafana supervisor config in pmm-managed and it may not exist at this stage
+  become_user: pmm
+  become_method: su
+  loop:
+    - stop
+    - remove
+    - add
diff --git a/build/ansible/roles/grafana/tasks/main.yml b/build/ansible/roles/grafana/tasks/main.yml
index 6a84218c05..e214262520 100644
--- a/build/ansible/roles/grafana/tasks/main.yml
+++ b/build/ansible/roles/grafana/tasks/main.yml
@@ -48,7 +48,7 @@
     - plugins
     - dashboards
 
-- name: Create change-admin-password command
+- name: Copy change-admin-password command
   copy:
     src: change-admin-password
     dest: /usr/local/sbin/change-admin-password
diff --git a/update/ansible/playbook/tasks/roles/initialization/tasks/main.yml b/build/ansible/roles/initialization/tasks/main.yml
similarity index 68%
rename from update/ansible/playbook/tasks/roles/initialization/tasks/main.yml
rename to build/ansible/roles/initialization/tasks/main.yml
index 3bf62e9910..935f2b9d51 100644
--- a/update/ansible/playbook/tasks/roles/initialization/tasks/main.yml
+++ b/build/ansible/roles/initialization/tasks/main.yml
@@ -1,10 +1,5 @@
 ---
 # This role contains tasks executed during initialization of PMM Server
-- name: Determine type of upgrade
-  set_fact:
-    ui_upgrade: False
-  when: ui_upgrade is undefined
-
 - name: Get current version
   slurp:
     src: /srv/grafana/PERCONA_DASHBOARDS_VERSION
@@ -38,33 +33,17 @@
   debug:
     msg: "Current version: {{ pmm_current_version }} Image Version: {{ pmm_image_version }}"
 
-# We use current_version_file['failed'] because we don't want to run this on creating container
-# and we use pmm_current_version is version(pmm_image_version, '>=') to run it only if upgrade is required
-- name: Determine type of upgrade
-  set_fact:
-    docker_upgrade: "{{ not ui_upgrade and current_version_file['failed'] != true and not pmm_current_version is version(pmm_image_version, '>=') }}"
-
-- name: Print Docker upgrade fact
-  debug:
-    msg: "Docker upgrade: {{ docker_upgrade }}"
-
-- name: Enable maintenance mode only for docker upgrade
+- name: Enable maintenance mode before upgrade
   copy:
     src: maintenance.html
     dest: /usr/share/pmm-server/maintenance/
     owner: pmm
     group: pmm
     mode: 0644
-  when: docker_upgrade
 
 - name: Upgrade dashboards
   include_role:
-    name: dashboards_upgrade
-  when: need_upgrade
-
-- name: Clickhouse migration
-  include_role:
-    name: clickhouse
+    name: dashboards
   when: need_upgrade
 
 - name: Copy file with image version
@@ -77,10 +56,13 @@
     remote_src: yes
   when: need_upgrade
 
-- name: Create backup directory
+- name: Create a backup directory
   file:
     path: /srv/backup
     state: directory
+    owner: pmm
+    group: pmm
+    mode: 0775
 
 - name: Wait for PMM to be ready
   ansible.builtin.uri:
@@ -89,7 +71,6 @@
     method: GET
   retries: 120
   delay: 1
-  when: docker_upgrade
 
 - name: Disable maintenance mode
   file:
diff --git a/build/ansible/roles/nginx/files/conf.d/pmm.conf b/build/ansible/roles/nginx/files/conf.d/pmm.conf
index 91f077d71e..fca411bbe4 100644
--- a/build/ansible/roles/nginx/files/conf.d/pmm.conf
+++ b/build/ansible/roles/nginx/files/conf.d/pmm.conf
@@ -179,8 +179,8 @@
     }
 
     # Swagger UI
-    rewrite ^/swagger/swagger.json$ /swagger.json permanent;
-    rewrite ^(/swagger)/(.*)$ /swagger permanent;
+    rewrite ^/swagger/swagger.json$ $scheme://$http_host/swagger.json permanent;
+    rewrite ^(/swagger)/(.*)$ $scheme://$http_host/swagger permanent;
     location /swagger {
       auth_request off;
       root /usr/share/pmm-managed/swagger;
@@ -222,10 +222,8 @@
 
     # for minimal compatibility with PMM 1.x
     rewrite ^/ping$ /v1/readyz;
-    rewrite ^/managed/v1/version$ /v1/version;
 
     # logs.zip in both PMM 1.x and 2.x variants
-    rewrite ^/managed/logs.zip$ /logs.zip;
     location /logs.zip {
       proxy_pass http://managed-json;
       proxy_http_version 1.1;
@@ -253,7 +251,7 @@
 
       set $feed https://www.percona.com/blog/feed/;
       proxy_pass $feed;
-      proxy_set_header User-Agent "$http_user_agent pmm-server/2.x";
+      proxy_set_header User-Agent "$http_user_agent pmm-server/3.x";
       error_page 500 502 503 504 /pmm-static/local-rss.xml;
     }
   }
diff --git a/build/ansible/roles/nginx/files/nginx.conf b/build/ansible/roles/nginx/files/nginx.conf
index ea60c7bbe5..49f57aa5da 100644
--- a/build/ansible/roles/nginx/files/nginx.conf
+++ b/build/ansible/roles/nginx/files/nginx.conf
@@ -3,7 +3,7 @@ worker_processes  2;
 
 daemon off;
 
-error_log  /srv/logs/nginx.log warn;
+error_log  /dev/stderr warn;
 pid        /run/nginx.pid;
 
 events {
@@ -23,7 +23,7 @@ http {
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 
-    access_log  /srv/logs/nginx.log  main;
+    access_log  /dev/stdout  main;
 
     sendfile        on;
     gzip            on;
diff --git a/build/ansible/roles/nginx/tasks/main.yml b/build/ansible/roles/nginx/tasks/main.yml
index d3cea0753a..d57a142e73 100644
--- a/build/ansible/roles/nginx/tasks/main.yml
+++ b/build/ansible/roles/nginx/tasks/main.yml
@@ -1,9 +1,6 @@
 ---
 # We already have nginx package in epel repo
 - name: Add Nginx repository
-  when:
-    - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-    - ansible_distribution_major_version == '9'
   yum_repository:
     name: nginx
     description: nginx repo
@@ -60,10 +57,18 @@
   when: not certificate_file.stat.exists
   command: /var/lib/cloud/scripts/per-boot/generate-ssl-certificate
 
+- name: Find the default nginx config files
+  find:
+    paths: /etc/nginx
+    patterns: "*.default"
+  register: default_config
+
 - name: Remove the default nginx config files
   file:
-    path: /etc/nginx/*.default
+    path: "{{ item }}"
     state: absent
+  loop: "{{ default_config.files | map(attribute='path') | list }}"
+  when: default_config.files | length > 0
 
 - name: Change ownership of nginx dirs
   file:
diff --git a/build/ansible/roles/pmm-images/tasks/main.yml b/build/ansible/roles/pmm-images/tasks/main.yml
index 44d15d24a6..5a423b6ddf 100644
--- a/build/ansible/roles/pmm-images/tasks/main.yml
+++ b/build/ansible/roles/pmm-images/tasks/main.yml
@@ -5,9 +5,6 @@
     key: https://downloads.percona.com/downloads/RPM-GPG-KEY-percona
 
 - name: Add PMM3 Server YUM repository
-  when:
-    - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-    - ansible_distribution_major_version == '9'
   yum_repository:
     name: pmm-server
     description: PMM Server YUM repository - x86_64
@@ -16,8 +13,8 @@
     enabled: yes
     gpgkey: file:///etc/pki/rpm-gpg/PERCONA-PACKAGING-KEY
 
-# local yum repo for building pmm server docker image in autobuild jobs
-- name: Packages                   | Add a local YUM repository
+# Local yum repo for building pmm server docker image in autobuild jobs
+- name: Add a local YUM repository
   when: ansible_virtualization_type == "docker"
   yum_repository:
     name: local
@@ -26,41 +23,31 @@
     gpgcheck: no
     enabled: no
 
-# we use it for pmm-client (TODO we'll need switch to pmm-client client repo)
+# we use it for pmm-client (TODO we'll need to switch to pmm-client repo)
 # To workaround the package's incompatibility with RHEL9, we have to ignore errors :(
 # Error: `Failed to validate GPG signature for percona-release-1.0-27.noarch`
 # Despite the error, this will still install the repo and the GPG key
-- name: Packages                   | Install percona-release rpm
+- name: Add percona-release repository
   yum:
     name: https://repo.percona.com/yum/percona-release-latest.noarch.rpm
     state: installed
   ignore_errors: True
 
-- name: Packages                   | Update OS EL9
-  when:
-    - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-    - ansible_distribution_major_version == '9'
+- name: Update OS packages
   yum:
     name: "*"
     state: latest
     disablerepo: percona-release-x86_64
 
-- name: Packages                   | Install OS tools for EL9
-  when:
-    - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-    - ansible_distribution_major_version == '9'
+- name: Install OS tools
   yum:
     name:
       - python3-pip
       - python3.11-pip
       - python3.11-psycopg2
       - rsync
-      - libsqlite3x-devel # package does not come pre-installed on EL9
 
 - name: Install ansible-core and ansible collections
-  when:
-    - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-    - ansible_distribution_major_version == '9'
   yum:
     name:
       - ansible-core
@@ -69,11 +56,6 @@
       - ansible-collection-ansible-posix
     state: present
 
-- name: Create users for non-docker images          | Create users
-  user:
-    name: "pmm"
-  when: ansible_virtualization_type != "docker"
-
 - name: Create users and groups in docker container
   block:
     - name: Ensure groups exist with correct gid
@@ -82,10 +64,11 @@
         gid: "{{ item.gid }}"
       loop:
         - { name: pmm, gid: 1000 }
-        - { name: nginx, gid: 1002 }
-        - { name: clickhouse, gid: 1001 }
+        - { name: nginx, gid: 1001 }
+        - { name: clickhouse, gid: 1002 }
 
-    - name: Create users              | Create users
+    # Note: nginx and clickhouse users will get removed in post-build.
+    - name: Create users
       user:
         name: "{{ item.name }}"
         uid: "{{ item.uid }}"
@@ -95,17 +78,24 @@
         group: "{{ item.group }}"
       loop:
         - { name: pmm, uid: 1000, comment: "PMM Server", shell: "/usr/bin/bash", home: "/home/pmm", group: pmm, }
-        - { name: nginx, uid: 1002, comment: "nginx user", shell: "/sbin/nologin", home: "/dev/null", group: nginx, }
-        - { name: clickhouse, uid: 1001, comment: "Clickhouse server", shell: "/sbin/nologin", home: "/dev/null", group: clickhouse, }
+        - { name: nginx, uid: 1001, comment: "Nginx user", shell: "/sbin/nologin", home: "/dev/null", group: nginx, }
+        - { name: clickhouse, uid: 1002, comment: "Clickhouse server", shell: "/sbin/nologin", home: "/dev/null", group: clickhouse, }
 
   when: ansible_virtualization_type == "docker"
 
-- name: Create directories        | Create dirs
-  file: path={{ item }} state=directory owner=pmm group=pmm
-  with_items:
+- name: Create directories (mask 022)
+  file: 
+    path: "{{ item }}"
+    state: directory
+    owner: pmm
+    group: pmm
+  loop:
+    - /srv # otherwise it's owned by root
     - /srv/prometheus/rules
     - /etc/grafana
+    - /srv/clickhouse
 
+# Note a special mode required mainly by nginx
 - name: Create a directory for logs
   file:
     path: /srv/logs
@@ -114,22 +104,16 @@
     group: pmm
     mode: 0775
 
-- name: Create clickhouse data directory
-  file:
-    path: /srv/clickhouse
-    state: directory
-    owner: pmm
-    group: pmm
-    mode: 0755
-
-- name: Create dirs                | Create dirs
+- name: Create dirs
   when: ansible_virtualization_type == "docker"
-  file: path={{ item }} state=directory
-  with_items:
+  file: 
+    path: "{{ item }}"
+    state: directory
+  loop:
     - /var/lib/cloud/scripts/per-once
     - /var/lib/cloud/scripts/per-boot
 
-- name: Install RPMs               | Install RPMs for PMM3 server
+- name: Install PMM Server components
   yum:
     name:
       - percona-grafana
@@ -162,33 +146,22 @@
 
 - name: Install supervisord
   include_role:
-    name: supervisord-init
+    name: supervisord
 
-- name: PMM                        | Enable repo for pmm-client
+- name: Enable repo for pmm-client
   command: percona-release enable {{ pmm_client_repos }}
 
 - name: Install pmm-client
   include_role:
     name: pmm-client
 
-- name: Disable pmm-agent service | Disable pmm-agent
-  when: ansible_virtualization_type != "docker"
-  service: name=pmm-agent state=stopped enabled=no
-
-- name: Create tmp dirs           | Create tmp dirs
-  when: ansible_virtualization_type != "docker"
-  command: /usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev
-
-- name: Copy grafana.ini file for the first run
-  copy:
-    src: grafana.ini
-    dest: /etc/supervisord.d/grafana.ini
-    mode: 0644
-
-- name: Create backup directory
+- name: Create a backup directory
   file:
     path: /srv/backup
     state: directory
+    owner: pmm
+    group: pmm
+    mode: 0775
 
 - name: Create a working directory for VictoriaMetrics
   file:
diff --git a/update/ansible/playbook/tasks/roles/postgres/tasks/backup.yml b/build/ansible/roles/postgres/tasks/backup.yml
similarity index 85%
rename from update/ansible/playbook/tasks/roles/postgres/tasks/backup.yml
rename to build/ansible/roles/postgres/tasks/backup.yml
index 80eae4447e..2daabb37a9 100644
--- a/update/ansible/playbook/tasks/roles/postgres/tasks/backup.yml
+++ b/build/ansible/roles/postgres/tasks/backup.yml
@@ -1,7 +1,7 @@
 ---
 # Backup Postgres Databases
 # This playbook can be run on its own as follows:
-# ansible-playbook -i localhost /usr/share/pmm-update/ansible/playbook/tasks/roles/postgres/tasks/backup.yml
+# ansible-playbook -i localhost /opt/ansible/roles/postgres/tasks/backup.yml
 # or using `include_role` from another playbook with `tasks_from: backup.yml`
 
 - name: Check if supervisor socket exists
@@ -28,6 +28,8 @@
       - pmm-agent
       - postgresql
     become: true
+    become_user: pmm
+    become_method: su
 
   - name: Run Postgres database without supervisor
     command: /usr/pgsql-14/bin/pg_ctl start -D /srv/postgres14 -o "-c logging_collector=off"
@@ -35,14 +37,6 @@
     become_user: pmm
     become_method: su
 
-  - name: Create the backup directory if it does not exist
-    file:
-      path: /srv/backup
-      state: directory
-      owner: pmm
-      group: pmm
-      mode: 0775
-
   - name: Dump pmm-managed database
     postgresql_db:
       name: pmm-managed
@@ -71,6 +65,8 @@
       - postgresql
       - pmm-managed
       - pmm-agent
-    become: true    
+    become: true
+    become_user: pmm
+    become_method: su 
 
   when: is_supervisor_running
diff --git a/update/ansible/playbook/tasks/roles/postgres/tasks/restore.yml b/build/ansible/roles/postgres/tasks/restore.yml
similarity index 90%
rename from update/ansible/playbook/tasks/roles/postgres/tasks/restore.yml
rename to build/ansible/roles/postgres/tasks/restore.yml
index f29b16e874..c3485f4dcf 100644
--- a/update/ansible/playbook/tasks/roles/postgres/tasks/restore.yml
+++ b/build/ansible/roles/postgres/tasks/restore.yml
@@ -1,7 +1,7 @@
 ---
 # Restore Postgres Databases
 # This playbook can be run on its own as follows:
-# ansible-playbook -i localhost /usr/share/pmm-update/ansible/playbook/tasks/roles/postgres/tasks/restore.yml
+# ansible-playbook -i localhost /opt/ansible/roles/postgres/tasks/restore.yml
 # or using `include_role` from another playbook with `tasks_from: restore.yml`
 
 - name: Check if supervisor socket exists
@@ -28,6 +28,8 @@
       - pmm-agent
       - postgresql
     become: true
+    become_user: pmm
+    become_method: su
 
   - name: Run Postgres database without supervisor
     command: /usr/pgsql-14/bin/pg_ctl start -D /srv/postgres
@@ -68,6 +70,9 @@
       - postgresql
       - pmm-managed
       - pmm-agent
-    become: true    
+    become: true
+    become_user: pmm
+    become_method: su
+ 
 
   when: is_supervisor_running
diff --git a/build/ansible/roles/supervisord-init/files/supervisord.service b/build/ansible/roles/supervisord-init/files/supervisord.service
deleted file mode 100644
index fb8a92c84f..0000000000
--- a/build/ansible/roles/supervisord-init/files/supervisord.service
+++ /dev/null
@@ -1,15 +0,0 @@
-[Unit]
-Description=Process Monitoring and Control Daemon
-After=rc-local.service nss-user-lookup.target
-After=network.target
-RequiresMountsFor=/srv
-
-[Service]
-Type=simple
-# we need to wait till time is synchronized
-ExecStartPre=/usr/bin/sleep 10
-ExecStart=/usr/bin/supervisord -c /etc/supervisord.conf
-TimeoutStartSec=120
-
-[Install]
-WantedBy=multi-user.target
diff --git a/build/ansible/roles/pmm-images/files/grafana.ini b/build/ansible/roles/supervisord/files/grafana.ini
similarity index 100%
rename from build/ansible/roles/pmm-images/files/grafana.ini
rename to build/ansible/roles/supervisord/files/grafana.ini
diff --git a/update/ansible/playbook/tasks/files/pmm.ini b/build/ansible/roles/supervisord/files/pmm.ini
similarity index 93%
rename from update/ansible/playbook/tasks/files/pmm.ini
rename to build/ansible/roles/supervisord/files/pmm.ini
index 0215623ccf..dec1638e1a 100644
--- a/update/ansible/playbook/tasks/files/pmm.ini
+++ b/build/ansible/roles/supervisord/files/pmm.ini
@@ -9,7 +9,8 @@ password = dummy
 
 ; we rewrite autostart to true during update or build.
 [program:pmm-update-perform-init]
-command = /usr/sbin/pmm-update -run-playbook -playbook=/usr/share/pmm-update/ansible/playbook/tasks/init.yml
+command = /usr/sbin/pmm-update -run-playbook -playbook=/opt/ansible/pmm-docker/init.yml
+user = pmm
 directory = /
 autorestart = unexpected
 priority=-1
@@ -68,6 +69,7 @@ redirect_stderr = true
 [program:nginx]
 priority = 4
 command = nginx
+user = pmm
 autorestart = true
 autostart = true
 startretries = 10
@@ -89,6 +91,7 @@ command =
         --postgres-username=pmm-managed
         --postgres-password=pmm-managed
         --supervisord-config-dir=/etc/supervisord.d
+user = pmm
 autorestart = true
 autostart = true
 startretries = 1000
@@ -116,7 +119,8 @@ stdout_logfile_backups = 2
 redirect_stderr = true
 
 [program:pmm-update-perform]
-command = /usr/sbin/pmm-update -perform -playbook=/usr/share/pmm-update/ansible/playbook/tasks/update.yml
+command = /usr/sbin/pmm-update -perform -playbook=/opt/ansible/pmm-docker/update.yml
+user = pmm
 directory = /
 autorestart = unexpected
 exitcodes = 0
diff --git a/update/ansible/playbook/tasks/files/supervisord.ini b/build/ansible/roles/supervisord/files/supervisord.ini
similarity index 85%
rename from update/ansible/playbook/tasks/files/supervisord.ini
rename to build/ansible/roles/supervisord/files/supervisord.ini
index adf3ed726d..c9eeb67347 100644
--- a/update/ansible/playbook/tasks/files/supervisord.ini
+++ b/build/ansible/roles/supervisord/files/supervisord.ini
@@ -1,4 +1,5 @@
 [supervisord]
+user = pmm
 logfile = /srv/logs/supervisord.log
 logfile_maxbytes = 5MB
 logfile_backups = 1
@@ -6,5 +7,4 @@ loglevel = info
 pidfile = /tmp/supervisord.pid
 nodaemon = true
 nocleanup = false
-user = root
-strip_ansi = false
\ No newline at end of file
+strip_ansi = false
diff --git a/build/ansible/roles/supervisord-init/tasks/main.yml b/build/ansible/roles/supervisord/tasks/main.yml
similarity index 62%
rename from build/ansible/roles/supervisord-init/tasks/main.yml
rename to build/ansible/roles/supervisord/tasks/main.yml
index 878485fa03..43d7286f96 100644
--- a/build/ansible/roles/supervisord-init/tasks/main.yml
+++ b/build/ansible/roles/supervisord/tasks/main.yml
@@ -11,7 +11,6 @@
 
 - name: Create a default configuration file for supervisord
   shell: /usr/local/bin/echo_supervisord_conf > /etc/supervisord.conf
-  ignore_errors: True
 
 - name: Modify supervisord.conf
   ini_file:
@@ -32,14 +31,7 @@
     dest: /etc/supervisord.conf
     section: supervisord
     option: logfile
-    value: "/srv/logs/supervisord.log"
-
-- name: Modify supervisord.conf
-  ini_file:
-    dest: /etc/supervisord.conf
-    section: supervisord
-    option: pidfile
-    value: /run/supervisord.pid
+    value: /srv/logs/supervisord.log
 
 - name: Modify supervisord.conf
   ini_file:
@@ -48,25 +40,33 @@
     option: serverurl
     value: unix:///run/supervisor/supervisor.sock
 
-- name: Create dirs
+- name: Create a directory for socket
   file:
     path: /run/supervisor
     state: directory
+    owner: pmm
+    group: pmm
     mode: 0770
 
 - name: Create /etc/supervisord.d dir
   file:
     path: /etc/supervisord.d
-    mode: 0755
     state: directory
+    owner: pmm
+    group: pmm
+    mode: 0755
 
-- name: Add /etc/tmpfiles.d/supervisor.conf config
-  when: ansible_virtualization_type != "docker"
+- name: Copy *.ini files for PMM components
   copy:
-    content: |
-      D /var/run/supervisor 0775 root root -
-    dest: /etc/tmpfiles.d/supervisor.conf
+    src: "{{ item }}"
+    dest: "/etc/supervisord.d/{{ item }}"
+    owner: pmm
+    group: pmm
     mode: 0644
+  loop:
+    - supervisord.ini
+    - grafana.ini
+    - pmm.ini
 
 - name: Fix credentials
   ini_file:
@@ -82,24 +82,6 @@
     option: password
     value: dummy
 
-- name: Increase number of open files for jobs
-  when: ansible_virtualization_type != "docker"
-  ini_file:
-    dest: /etc/supervisord.conf
-    section: supervisord
-    option: minfds
-    value: "800000"
-
-- name: Add supervisord.service
-  when: ansible_virtualization_type != "docker"
-  copy:
-    src: supervisord.service
-    dest: /usr/lib/systemd/system/
-    mode: 0644
-
-- name: Fix motd
-  shell: echo "Welcome to PMM Server!" > /etc/motd; echo "Welcome to PMM Server!" > /etc/motd.conf
-
 - name: Print the contents of supervisord.conf
   debug:
     msg:
diff --git a/build/docker/server/Dockerfile b/build/docker/server/Dockerfile
index 65acb5826f..057baf88ca 100644
--- a/build/docker/server/Dockerfile
+++ b/build/docker/server/Dockerfile
@@ -23,9 +23,10 @@ COPY pmm-client.tar.gz /tmp/
 
 COPY ansible /opt/ansible
 RUN cp -r /opt/ansible/roles /opt/ansible/pmm-docker/roles
-RUN ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm-docker/main.yml \
-    && ansible-playbook -vvv -i 'localhost,' -c local /usr/share/pmm-update/ansible/playbook/tasks/update.yml \
-    && ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm/post-build-actions.yml
+
+RUN ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm-docker/main.yml && \
+    ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm-docker/update.yml && \
+    ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm/post-build-actions.yml
 
 COPY entrypoint.sh /opt/entrypoint.sh
 HEALTHCHECK --interval=3s --timeout=2s --start-period=10s --retries=3 CMD curl -f http://127.0.0.1/v1/readyz || exit 1
diff --git a/build/docker/server/Dockerfile.el9 b/build/docker/server/Dockerfile.el9
index a7ed9285a5..35dc8ac340 100644
--- a/build/docker/server/Dockerfile.el9
+++ b/build/docker/server/Dockerfile.el9
@@ -27,19 +27,21 @@ RUN microdnf -y install epel-release && \
                         yum \
                         vi
 
+COPY entrypoint.sh /opt/entrypoint.sh
+COPY ansible /opt/ansible
 COPY RPMS /tmp/RPMS
 COPY gitCommit /tmp/gitCommit
 
 # Use COPY as we want to unarchive it with ansible
 COPY pmm-client.tar.gz /tmp/
 
-COPY ansible /opt/ansible
-# NOTE: this needs to be refactored, since some of the playbooks are duplicates
-RUN cp -r /opt/ansible/roles /opt/ansible/pmm-docker/roles
-RUN ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm-docker/main.yml \
-  && ansible-playbook -vvv -i 'localhost,' -c local /usr/share/pmm-update/ansible/playbook/tasks/update.yml \
-  && ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm/post-build-actions.yml
+RUN install -T -p -m 644 /opt/ansible/ansible.cfg /etc/ansible/ansible.cfg && \
+    ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm-docker/main.yml && \
+    ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm-docker/update.yml && \
+    ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm/post-build-actions.yml
+
+USER pmm
+
+HEALTHCHECK --interval=3s --timeout=2s --start-period=10s --retries=3 CMD curl -sf http://127.0.0.1:8080/v1/readyz
 
-COPY entrypoint.sh /opt/entrypoint.sh
-HEALTHCHECK --interval=3s --timeout=2s --start-period=10s --retries=3 CMD curl -f http://127.0.0.1:8080/v1/readyz || exit 1
 CMD ["/opt/entrypoint.sh"]
diff --git a/build/docker/server/README.md b/build/docker/server/README.md
index ca805a4442..d49a8136c2 100644
--- a/build/docker/server/README.md
+++ b/build/docker/server/README.md
@@ -12,12 +12,12 @@ Percona Monitoring and Management (PMM) is an open source database observability
 ```
 docker pull percona/pmm-server:3
 docker volume create pmm-data
-docker run --detach --restart always --publish 443:443 -v pmm-data:/srv --name pmm-server percona/pmm-server:3
+docker run --detach --restart always --publish 443:8443 -v pmm-data:/srv --name pmm-server percona/pmm-server:3
 ```
 
 Point your browser to https://hostname:443
 
-This example uses the tag `:2` to pull the latest PMM 2.x version, but other, [more specific tags](https://hub.docker.com/r/percona/pmm-server/tags), are also available.
+This example uses the tag `:3` to pull the latest PMM 3.x version, but other, [more specific tags](https://hub.docker.com/r/percona/pmm-server/tags), are also available.
 
 ## Environment variables
 
diff --git a/build/docker/server/entrypoint.sh b/build/docker/server/entrypoint.sh
index fe09758328..51f79746dd 100755
--- a/build/docker/server/entrypoint.sh
+++ b/build/docker/server/entrypoint.sh
@@ -1,28 +1,35 @@
 #!/bin/bash
 set -o errexit
 
-# init /srv if empty
+if [ ! -w /srv ]; then
+    echo "FATAL: /srv is not writable by $(whoami) user." >&2
+    echo "Please make sure that /srv is owned by uid $(id -u) and gid $(id -g) and try again." >&2
+    echo "You can change ownership by running: sudo chown -R $(id -u):$(id -g) /srv" >&2
+    exit 1
+fi
+
+# Initialize /srv if empty
 DIST_FILE=/srv/pmm-distribution
 if [ ! -f $DIST_FILE ]; then
-    echo "File $DIST_FILE doesn't exist. Initialize /srv..."
+    echo "File $DIST_FILE doesn't exist. Initializing /srv..."
     echo docker > $DIST_FILE
-    mkdir -p /srv/{clickhouse,grafana,logs,postgres14,prometheus,nginx,victoriametrics}
-    echo "Copying plugins and VERSION file"
+    mkdir -p /srv/{backup,clickhouse,grafana,logs,nginx,postgres14,prometheus,victoriametrics}
+    echo "Copying grafana plugins and the VERSION file..."
+    cp -r /usr/share/percona-dashboards/panels/* /srv/grafana/plugins
     cp /usr/share/percona-dashboards/VERSION /srv/grafana/PERCONA_DASHBOARDS_VERSION
-    cp -r /usr/share/percona-dashboards/panels/ /srv/grafana/plugins
-    chown -R pmm:pmm /srv/grafana
-    chown pmm:pmm /srv/{victoriametrics,prometheus,logs}
-    chown pmm:pmm /srv/postgres14
-    echo "Generating self-signed certificates for nginx"
+    
+    echo "Generating self-signed certificates for nginx..."
     bash /var/lib/cloud/scripts/per-boot/generate-ssl-certificate
-    echo "Initializing Postgres"
-    su pmm -c "/usr/pgsql-14/bin/initdb -D /srv/postgres14 --auth=trust --username=postgres"
-    echo "Enable pg_stat_statements extension"
-    su pmm -c "/usr/pgsql-14/bin/pg_ctl start -D /srv/postgres14 -o '-c logging_collector=off'"
+    
+    echo "Initializing Postgres..."
+    /usr/pgsql-14/bin/initdb -D /srv/postgres14 --auth=trust --username=postgres
+    
+    echo "Enabling pg_stat_statements extension for PostgreSQL..."
+    /usr/pgsql-14/bin/pg_ctl start -D /srv/postgres14 -o '-c logging_collector=off'
     # We create the postgres user with superuser privileges to not break the code that connects pmm-managed to postgres.
-    su pmm -c "/usr/pgsql-14/bin/createuser --echo --superuser --host=/run/postgresql --no-password postgres"
-    su pmm -c "/usr/bin/psql postgres postgres -c 'CREATE EXTENSION pg_stat_statements SCHEMA public'"
-    su pmm -c "/usr/pgsql-14/bin/pg_ctl stop -D /srv/postgres14"
+    /usr/pgsql-14/bin/createuser --echo --superuser --host=/run/postgresql --no-password postgres
+    /usr/bin/psql postgres postgres -c 'CREATE EXTENSION pg_stat_statements SCHEMA public'
+    /usr/pgsql-14/bin/pg_ctl stop -D /srv/postgres14
 fi
 
 # pmm-managed-init validates environment variables.
diff --git a/build/packer/pmm.el9.json b/build/packer/pmm.el9.json
index b6ded35a72..536e466bb8 100644
--- a/build/packer/pmm.el9.json
+++ b/build/packer/pmm.el9.json
@@ -131,22 +131,22 @@
         "ansible/roles/cloud-node",
         "ansible/roles/lvm-init",
         "ansible/roles/pmm-images",
-        "ansible/roles/supervisord-init",
+        "ansible/roles/supervisord",
         "ansible/roles/ami-ovf"
       ]
     },
     {
       "type": "ansible-local",
-      "playbook_dir": "update/tasks",
-      "playbook_file": "update/tasks/update.yml",
+      "playbook_dir": "ansible/pmm-docker",
+      "playbook_file": "ansible/pmm-docker/update.yml",
       "extra_arguments": ["-vvv", "-u root"],
       "role_paths": [
-        "update/tasks/roles/clickhouse",
-        "update/tasks/roles/dashboards_upgrade",
-        "update/tasks/roles/grafana",
-        "update/tasks/roles/initialization",
-        "update/tasks/roles/nginx",
-        "update/tasks/roles/postgres"
+        "ansible/roles/clickhouse",
+        "ansible/roles/dashboards",
+        "ansible/roles/grafana",
+        "ansible/roles/initialization",
+        "ansible/roles/nginx",
+        "ansible/roles/postgres"
       ]
     },
     {
diff --git a/build/packer/pmm.json b/build/packer/pmm.json
index 3312dcbae5..f816657ef1 100644
--- a/build/packer/pmm.json
+++ b/build/packer/pmm.json
@@ -123,14 +123,14 @@
                 "ansible/roles/cloud-node",
                 "ansible/roles/lvm-init",
                 "ansible/roles/pmm-images",
-                "ansible/roles/supervisord-init",
+                "ansible/roles/supervisord",
                 "ansible/roles/ami-ovf"
             ]
         },
         {
             "type": "shell",
             "inline": [
-                "sudo ansible-playbook -vvv -i 'localhost,' -c local /usr/share/pmm-update/ansible/playbook/tasks/update.yml"
+                "sudo ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm-docker/tasks/update.yml"
             ]
         },
         {
diff --git a/get-pmm.sh b/get-pmm.sh
index bb04db2d18..b76f411d83 100755
--- a/get-pmm.sh
+++ b/get-pmm.sh
@@ -13,12 +13,12 @@ set -Eeuo pipefail
 trap cleanup SIGINT SIGTERM ERR EXIT
 
 # Set defaults.
-tag=${PMM_TAG:-"2"}
-repo=${PMM_REPO:-"percona/pmm-server"}
+tag=${PMM_TAG:-3}
+repo=${PMM_REPO:-percona/pmm-server}
 port=${PMM_PORT:-443}
-container_name=${CONTAINER_NAME:-"pmm-server"}
+container_name=${CONTAINER_NAME:-pmm-server}
 interactive=0
-root_is_needed='no'
+root_is_needed=no
 
 #######################################
 # Show script usage info.
@@ -85,9 +85,9 @@ msg() {
 #   writes message to stderr.
 #######################################
 die() {
-  local msg=$1
+  local message=$1
   local code=${2-1} # default exit status 1
-  msg "$msg"
+  msg "$message"
   exit "$code"
 }
 
@@ -136,7 +136,7 @@ gather_info() {
   : ${port:=$default_port}
   read -p "  PMM Server Container Name (default: $default_container_name): " container_name
   : ${container_name:="$default_container_name"}
-  read -p "  Override specific version (container tag) (default: $default_tag in 2.x series) format: 2.x.y: " tag
+  read -p "  Override specific version (container tag) (default: $default_tag in 3.x series) format: 3.x.y: " tag
   : ${tag:=$default_tag}
 }
 
@@ -179,7 +179,7 @@ install_docker() {
   if ! check_command docker; then
     if is_darwin; then
       echo
-      echo "ERROR: Cannot auto-install components on macOS"
+      echo "ERROR: Cannot auto-install components on MacOS"
       echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop and rerun installer after starting"
       echo
       exit 1
@@ -198,7 +198,7 @@ install_docker() {
     if ! run_root 'docker ps > /dev/null'; then
       if is_darwin; then
         run_root 'open --background -a Docker'
-        echo "Giving docker desktop time to start"
+        echo "Giving Docker Desktop time to start"
         sleep 30
       else
         die "${RED}ERROR: cannot run "docker ps" command${NOFORMAT}"
@@ -219,15 +219,17 @@ run_docker() {
 }
 
 #######################################
-# Starts PMM server container with give repo, tag, name and port.
-# If any PMM server instance is run - stop and backup it.
+# Starts PMM Server container with given repo, tag, name and port.
+# If a PMM Server instance is running - stop and back it up.
 #######################################
 start_pmm() {
-  msg "Starting PMM server..."
+  msg "Starting PMM Server..."
   run_docker "pull $repo:$tag 1> /dev/null"
 
   if ! run_docker "inspect pmm-data 1> /dev/null 2> /dev/null"; then
-    run_docker "create -v /srv/ --name pmm-data $repo:$tag /bin/true 1> /dev/null"
+    if ! run_docker "volume create pmm-data 1> /dev/null"; then
+      die "${RED}ERROR: cannot create PMM Data Volume${NOFORMAT}"
+    fi
     msg "Created PMM Data Volume: pmm-data"
   fi
 
@@ -237,17 +239,17 @@ start_pmm() {
     run_docker 'stop pmm-server' || :
     run_docker "rename pmm-server $pmm_archive\n"
   fi
-  run_pmm="run -d -p $port:8443 --volumes-from pmm-data --name $container_name --restart always $repo:$tag"
+  run_pmm="run -d -p $port:8443 --volume pmm-data:/srv --name $container_name --restart always $repo:$tag"
 
   run_docker "$run_pmm 1> /dev/null"
   msg "Created PMM Server: $container_name"
-  msg "\tUse the following command if you ever need to update your container by hand:"
+  msg "\nUse the following command if you ever need to update your container manually:"
   msg "\tdocker $run_pmm \n"
 }
 
 #######################################
 # Shows final message.
-# Shows a list of addresses on which PMM server available.
+# Shows a list of addresses on which PMM Server is available.
 #######################################
 show_message() {
   msg "PMM Server has been successfully setup on this system!\n"
@@ -257,7 +259,7 @@ show_message() {
   elif check_command ip; then
     ips=$(ip -f inet a | awk -F"[/ ]+" '/inet / {print $3}')
   else
-    die "${RED}ERROR: cannot detect PMM server address${NOFORMAT}"
+    die "${RED}ERROR: cannot detect PMM Server address${NOFORMAT}"
   fi
 
   msg "You can access your new server using one of the following web addresses:"
@@ -271,7 +273,7 @@ show_message() {
 
 main() {
   setup_colors
-  if [[ $interactive == 1 ]]; then
+  if [[ "$interactive" == 1 ]]; then
     gather_info
   fi
   msg "Gathering/downloading required components, this may take a moment\n"
diff --git a/managed/services/grafana/auth_server.go b/managed/services/grafana/auth_server.go
index 0a83233659..0c1b086d69 100644
--- a/managed/services/grafana/auth_server.go
+++ b/managed/services/grafana/auth_server.go
@@ -78,8 +78,7 @@ var rules = map[string]role{
 	"/ping":                 none, // PMM 1.x variant
 
 	// must not be available without authentication as it can leak data
-	"/v1/version":         viewer,
-	"/managed/v1/version": viewer, // PMM 1.x variant
+	"/v1/version": viewer,
 
 	"/v0/qan/": viewer,
 
diff --git a/managed/services/grafana/auth_server_test.go b/managed/services/grafana/auth_server_test.go
index 09cb5cd319..e4efdca3d9 100644
--- a/managed/services/grafana/auth_server_test.go
+++ b/managed/services/grafana/auth_server_test.go
@@ -228,8 +228,7 @@ func TestAuthServerAuthenticate(t *testing.T) {
 		"/v1/readyz": none,
 		"/ping":      none,
 
-		"/v1/version":         viewer,
-		"/managed/v1/version": viewer,
+		"/v1/version": viewer,
 
 		"/v0/qan/ObjectDetails/GetQueryExample": viewer,
 
diff --git a/managed/services/supervisord/pmm_config.go b/managed/services/supervisord/pmm_config.go
index 78940e13e2..4ef71c0fdd 100644
--- a/managed/services/supervisord/pmm_config.go
+++ b/managed/services/supervisord/pmm_config.go
@@ -88,7 +88,8 @@ username = dummy
 password = dummy
 
 [program:pmm-update-perform-init]
-command = /usr/sbin/pmm-update -run-playbook -playbook=/usr/share/pmm-update/ansible/playbook/tasks/init.yml
+command = /usr/sbin/pmm-update -run-playbook -playbook=/opt/ansible/pmm-docker/init.yml
+user = pmm
 directory = /
 autorestart = unexpected
 priority=-1
@@ -169,6 +170,7 @@ command =
     /usr/sbin/pmm-managed
         --victoriametrics-config=/etc/victoriametrics-promscrape.yml
         --supervisord-config-dir=/etc/supervisord.d
+user = pmm
 autorestart = true
 autostart = true
 startretries = 1000
@@ -196,7 +198,8 @@ stdout_logfile_backups = 2
 redirect_stderr = true
 
 [program:pmm-update-perform]
-command = /usr/sbin/pmm-update -perform -playbook=/usr/share/pmm-update/ansible/playbook/tasks/update.yml
+command = /usr/sbin/pmm-update -perform -playbook=/opt/ansible/pmm-docker/update.yml
+user = pmm
 directory = /
 autorestart = unexpected
 exitcodes = 0
diff --git a/managed/testdata/supervisord.d/pmm-db_disabled.ini b/managed/testdata/supervisord.d/pmm-db_disabled.ini
index 4d7693ee99..a9191eb4b5 100644
--- a/managed/testdata/supervisord.d/pmm-db_disabled.ini
+++ b/managed/testdata/supervisord.d/pmm-db_disabled.ini
@@ -9,7 +9,8 @@ username = dummy
 password = dummy
 
 [program:pmm-update-perform-init]
-command = /usr/sbin/pmm-update -run-playbook -playbook=/usr/share/pmm-update/ansible/playbook/tasks/init.yml
+command = /usr/sbin/pmm-update -run-playbook -playbook=/opt/ansible/pmm-docker/init.yml
+user = pmm
 directory = /
 autorestart = unexpected
 priority=-1
@@ -62,6 +63,7 @@ command =
     /usr/sbin/pmm-managed
         --victoriametrics-config=/etc/victoriametrics-promscrape.yml
         --supervisord-config-dir=/etc/supervisord.d
+user = pmm
 autorestart = true
 autostart = true
 startretries = 1000
@@ -89,7 +91,8 @@ stdout_logfile_backups = 2
 redirect_stderr = true
 
 [program:pmm-update-perform]
-command = /usr/sbin/pmm-update -perform -playbook=/usr/share/pmm-update/ansible/playbook/tasks/update.yml
+command = /usr/sbin/pmm-update -perform -playbook=/opt/ansible/pmm-docker/update.yml
+user = pmm
 directory = /
 autorestart = unexpected
 exitcodes = 0
diff --git a/managed/testdata/supervisord.d/pmm-db_enabled.ini b/managed/testdata/supervisord.d/pmm-db_enabled.ini
index 891ae16f6e..bb28208342 100644
--- a/managed/testdata/supervisord.d/pmm-db_enabled.ini
+++ b/managed/testdata/supervisord.d/pmm-db_enabled.ini
@@ -9,7 +9,8 @@ username = dummy
 password = dummy
 
 [program:pmm-update-perform-init]
-command = /usr/sbin/pmm-update -run-playbook -playbook=/usr/share/pmm-update/ansible/playbook/tasks/init.yml
+command = /usr/sbin/pmm-update -run-playbook -playbook=/opt/ansible/pmm-docker/init.yml
+user = pmm
 directory = /
 autorestart = unexpected
 priority=-1
@@ -86,6 +87,7 @@ command =
     /usr/sbin/pmm-managed
         --victoriametrics-config=/etc/victoriametrics-promscrape.yml
         --supervisord-config-dir=/etc/supervisord.d
+user = pmm
 autorestart = true
 autostart = true
 startretries = 1000
@@ -113,7 +115,8 @@ stdout_logfile_backups = 2
 redirect_stderr = true
 
 [program:pmm-update-perform]
-command = /usr/sbin/pmm-update -perform -playbook=/usr/share/pmm-update/ansible/playbook/tasks/update.yml
+command = /usr/sbin/pmm-update -perform -playbook=/opt/ansible/pmm-docker/update.yml
+user = pmm
 directory = /
 autorestart = unexpected
 exitcodes = 0
diff --git a/managed/utils/envvars/parser.go b/managed/utils/envvars/parser.go
index b9a669e491..58266da869 100644
--- a/managed/utils/envvars/parser.go
+++ b/managed/utils/envvars/parser.go
@@ -83,7 +83,7 @@ func ParseEnvVars(envs []string) (*models.ChangeSettingsParams, []error, []strin
 
 		var err error
 		switch k {
-		case "_", "HOME", "HOSTNAME", "LANG", "PATH", "PWD", "SHLVL", "TERM", "LC_ALL":
+		case "_", "HOME", "HOSTNAME", "LANG", "PATH", "PWD", "SHLVL", "TERM", "LC_ALL", "SHELL", "LOGNAME", "USER", "PS1":
 			// skip default environment variables
 			continue
 		case "PMM_DEBUG", "PMM_TRACE":
diff --git a/qan-api2/.github/CONTRIBUTING.md b/qan-api2/CONTRIBUTING.md
similarity index 100%
rename from qan-api2/.github/CONTRIBUTING.md
rename to qan-api2/CONTRIBUTING.md
diff --git a/update/.devcontainer/install-dev-tools.sh b/update/.devcontainer/install-dev-tools.sh
index 7dc710b135..442a2e8bb6 100755
--- a/update/.devcontainer/install-dev-tools.sh
+++ b/update/.devcontainer/install-dev-tools.sh
@@ -8,7 +8,7 @@ set -o errexit
 set -o xtrace
 
 # download (in the background) the same verison as used by PMM build process
-curl -sS https://dl.google.com/go/go1.21.1.linux-amd64.tar.gz -o /tmp/golang.tar.gz &
+curl -sS https://dl.google.com/go/go1.21.5.linux-amd64.tar.gz -o /tmp/golang.tar.gz &
 
 # to install man pages
 sed -i '/nodocs/d' /etc/yum.conf
@@ -36,14 +36,14 @@ yum install -y gcc git make pkgconfig \
     bash-completion \
     man man-pages
 
-if [ "$RHEL" = '7' ]; then
+if [ "$RHEL" = "7" ]; then
     yum install -y ansible-lint glibc-static bash-completion-extras
 else
     yum install -y ansible-lint glibc-static --enablerepo=ol9_codeready_builder
 fi
 
 fg || true
-tar -C /usr/local -xzf /tmp/golang.tar.gz
+tar -C /usr/local -xzf /tmp/golang.tar.gz && rm -f /tmp/golang.tar.gz
 update-alternatives --install "/usr/bin/go" "go" "/usr/local/go/bin/go" 0
 update-alternatives --set go /usr/local/go/bin/go
 update-alternatives --install "/usr/bin/gofmt" "gofmt" "/usr/local/go/bin/gofmt" 0
diff --git a/update/Makefile b/update/Makefile
index fb3afa5c60..a4a3ac4551 100644
--- a/update/Makefile
+++ b/update/Makefile
@@ -71,8 +71,3 @@ env-down:                       ## Stop development environment
 
 install-dev-tools:
 	docker exec pmm-update-server /root/go/src/github.com/percona/pmm/update/.devcontainer/install-dev-tools.sh
-
-check:                          ## Run required checkers and linters
-	ansible-playbook --syntax-check ansible/playbook/tasks/update.yml
-	ansible-playbook --check ansible/playbook/tasks/update.yml
-	ansible-lint ansible/playbook/tasks/update.yml
diff --git a/update/ansible/playbook/templates/.gitkeep b/update/ansible/.gitkeep
similarity index 100%
rename from update/ansible/playbook/templates/.gitkeep
rename to update/ansible/.gitkeep
diff --git a/update/ansible/playbook/tasks/roles/clickhouse/main.yml b/update/ansible/playbook/tasks/roles/clickhouse/main.yml
deleted file mode 100644
index bb2f660bfd..0000000000
--- a/update/ansible/playbook/tasks/roles/clickhouse/main.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-# This role contains tasks executed during the migration of PMM Server from v2 to v3
-- name: Create a feature flag directory
-  file:
-    path: /srv/clickhouse/flags
-    state: directory
-    owner: pmm
-    group: pmm
-    mode: 0755
-    recurse: true
-
-- name: Create a feature flag
-  file:
-    path: /srv/clickhouse/flags/convert_ordinary_to_atomic
-    state: touch
-    owner: pmm
-    group: pmm
-    mode: 0755